Windows Analysis Report
New order.bat.exe

Overview

General Information

Sample name: New order.bat.exe
Analysis ID: 1396488
MD5: 3edf35900f95482ac8e77a9d32e6bf3d
SHA1: 3784bf7aa550dd36065092325951d1b4e81a36f2
SHA256: 2c42f0b638e46ffc233200f45ca9436c78fb424fc409574512774dfd3a0621a6
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.New order.bat.exe.4162d08.5.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: New order.bat.exe ReversingLabs: Detection: 42%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: New order.bat.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: New order.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: New order.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 4x nop then jmp 06FA617Ch 9_2_06FA5DC7

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49735 -> 50.87.139.143:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49735 -> 50.87.139.143:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49735 -> 50.87.139.143:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49735 -> 50.87.139.143:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49735 -> 50.87.139.143:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49739 -> 50.87.139.143:587
Yara detected Generic Downloader
Source: Yara match File source: 0.2.New order.bat.exe.419d928.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 50.87.139.143:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 50.87.139.143 50.87.139.143
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 50.87.139.143:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: New order.bat.exe, ydjgrBUVZiNXwd.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: New order.bat.exe, ydjgrBUVZiNXwd.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: New order.bat.exe, 00000008.00000002.4156694586.0000000003247000.00000004.00000800.00020000.00000000.sdmp, ydjgrBUVZiNXwd.exe, 0000000F.00000002.4157102606.0000000003497000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.elec-qatar.com
Source: New order.bat.exe, ydjgrBUVZiNXwd.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: New order.bat.exe, 00000000.00000002.1748858370.0000000002E15000.00000004.00000800.00020000.00000000.sdmp, New order.bat.exe, 00000008.00000002.4156694586.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, ydjgrBUVZiNXwd.exe, 00000009.00000002.1782769208.0000000002885000.00000004.00000800.00020000.00000000.sdmp, ydjgrBUVZiNXwd.exe, 0000000F.00000002.4157102606.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: New order.bat.exe, 00000000.00000002.1751983951.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: New order.bat.exe, 00000000.00000002.1749230830.0000000004A5B000.00000004.00000800.00020000.00000000.sdmp, New order.bat.exe, 00000000.00000002.1749230830.00000000040CE000.00000004.00000800.00020000.00000000.sdmp, ydjgrBUVZiNXwd.exe, 0000000F.00000002.4154105782.0000000000429000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: New order.bat.exe, 00000000.00000002.1749230830.0000000004A5B000.00000004.00000800.00020000.00000000.sdmp, New order.bat.exe, 00000000.00000002.1749230830.00000000040CE000.00000004.00000800.00020000.00000000.sdmp, New order.bat.exe, 00000008.00000002.4156694586.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, ydjgrBUVZiNXwd.exe, 0000000F.00000002.4154105782.0000000000429000.00000040.00000400.00020000.00000000.sdmp, ydjgrBUVZiNXwd.exe, 0000000F.00000002.4157102606.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: New order.bat.exe, 00000008.00000002.4156694586.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, ydjgrBUVZiNXwd.exe, 0000000F.00000002.4157102606.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: New order.bat.exe, 00000008.00000002.4156694586.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, ydjgrBUVZiNXwd.exe, 0000000F.00000002.4157102606.0000000003421000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: New order.bat.exe, ydjgrBUVZiNXwd.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49738 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, K6jmfEUYzg.cs .Net Code: aft6g33EiG
Source: 0.2.New order.bat.exe.419d928.3.raw.unpack, K6jmfEUYzg.cs .Net Code: aft6g33EiG
Installs a global keyboard hook
Source: C:\Users\user\Desktop\New order.bat.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\New order.bat.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\New order.bat.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.New order.bat.exe.419d928.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.New order.bat.exe.419d928.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.New order.bat.exe.4162d08.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: New order.bat.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_0146D51C 0_2_0146D51C
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_053C7210 0_2_053C7210
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_053C0006 0_2_053C0006
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_053C0040 0_2_053C0040
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_053C1090 0_2_053C1090
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_053C7200 0_2_053C7200
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_07877D70 0_2_07877D70
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_0787C378 0_2_0787C378
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_0787B318 0_2_0787B318
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_07877A88 0_2_07877A88
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_07870007 0_2_07870007
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_07870040 0_2_07870040
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_0178E6A1 8_2_0178E6A1
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_0178A94F 8_2_0178A94F
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_01784A98 8_2_01784A98
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_01783E80 8_2_01783E80
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_017841C8 8_2_017841C8
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DC7D90 8_2_06DC7D90
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DC55A0 8_2_06DC55A0
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DCB242 8_2_06DCB242
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DC3058 8_2_06DC3058
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DC7698 8_2_06DC7698
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DC5CDF 8_2_06DC5CDF
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DC05A9 8_2_06DC05A9
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DCE3A8 8_2_06DCE3A8
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DC2340 8_2_06DC2340
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DC0007 8_2_06DC0007
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_00DDD51C 9_2_00DDD51C
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E15B08 9_2_04E15B08
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E165C8 9_2_04E165C8
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E165B9 9_2_04E165B9
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E143C8 9_2_04E143C8
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E143D8 9_2_04E143D8
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E13FA8 9_2_04E13FA8
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E13F88 9_2_04E13F88
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E15AF9 9_2_04E15AF9
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA7D70 9_2_06CA7D70
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CAC378 9_2_06CAC378
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA7A88 9_2_06CA7A88
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CAB318 9_2_06CAB318
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA0040 9_2_06CA0040
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA003B 9_2_06CA003B
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06FA7FE8 9_2_06FA7FE8
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06FA1C78 9_2_06FA1C78
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06FA0478 9_2_06FA0478
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06FA0468 9_2_06FA0468
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06FA2A60 9_2_06FA2A60
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06FA20B0 9_2_06FA20B0
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06FA20A0 9_2_06FA20A0
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06FA0040 9_2_06FA0040
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_033B41C8 15_2_033B41C8
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_033BE627 15_2_033BE627
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_033BAA1A 15_2_033BAA1A
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_033B4A98 15_2_033B4A98
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_033B3E80 15_2_033B3E80
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_06F23058 15_2_06F23058
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_06F27698 15_2_06F27698
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_06F2E3A8 15_2_06F2E3A8
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_06F20376 15_2_06F20376
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_06F20040 15_2_06F20040
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_06F20006 15_2_06F20006
PE / OLE file has an invalid certificate
Source: New order.bat.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: New order.bat.exe, 00000000.00000002.1749230830.00000000040CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename1aa5ed53-faea-433c-bf5f-9e47e14be233.exe4 vs New order.bat.exe
Source: New order.bat.exe, 00000000.00000002.1749230830.00000000040CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs New order.bat.exe
Source: New order.bat.exe, 00000000.00000002.1747877722.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs New order.bat.exe
Source: New order.bat.exe, 00000000.00000002.1753142867.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs New order.bat.exe
Source: New order.bat.exe, 00000000.00000002.1748858370.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename1aa5ed53-faea-433c-bf5f-9e47e14be233.exe4 vs New order.bat.exe
Source: New order.bat.exe, 00000008.00000002.4155426660.0000000001458000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dll# vs New order.bat.exe
Source: New order.bat.exe, 00000008.00000002.4154083343.000000000043E000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename1aa5ed53-faea-433c-bf5f-9e47e14be233.exe4 vs New order.bat.exe
Source: New order.bat.exe, 00000008.00000002.4154438687.00000000012F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs New order.bat.exe
Source: New order.bat.exe Binary or memory string: OriginalFilenameKTLX.exeH vs New order.bat.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Section loaded: edputil.dll
Uses 32bit PE files
Source: New order.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.New order.bat.exe.419d928.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.New order.bat.exe.419d928.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.New order.bat.exe.4162d08.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: New order.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ydjgrBUVZiNXwd.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, wlMuNfYU9ETTr7SmU1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, wlMuNfYU9ETTr7SmU1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, wlMuNfYU9ETTr7SmU1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, wlMuNfYU9ETTr7SmU1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, UyDMxsd3t.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, 86A7K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, vztq.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, B80ITW1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, uQSn7t.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, bEoUgRL.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, HQEor7JLsfuGa3kcR3.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, KMZs7584nnwtUfNmc3.cs Security API names: _0020.SetAccessControl
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, KMZs7584nnwtUfNmc3.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, KMZs7584nnwtUfNmc3.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/15@2/2
Source: C:\Users\user\Desktop\New order.bat.exe File created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Mutant created: \Sessions\1\BaseNamedObjects\hjlXgSqqZHCOzYthfrmG
Source: C:\Users\user\Desktop\New order.bat.exe File created: C:\Users\user\AppData\Local\Temp\tmp6538.tmp Jump to behavior
Source: New order.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: New order.bat.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\New order.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New order.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\New order.bat.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: New order.bat.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\New order.bat.exe File read: C:\Users\user\Desktop\New order.bat.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New order.bat.exe C:\Users\user\Desktop\New order.bat.exe
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New order.bat.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydjgrBUVZiNXwd" /XML "C:\Users\user\AppData\Local\Temp\tmp6538.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Users\user\Desktop\New order.bat.exe C:\Users\user\Desktop\New order.bat.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydjgrBUVZiNXwd" /XML "C:\Users\user\AppData\Local\Temp\tmp714E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New order.bat.exe Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydjgrBUVZiNXwd" /XML "C:\Users\user\AppData\Local\Temp\tmp6538.tmp Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Users\user\Desktop\New order.bat.exe C:\Users\user\Desktop\New order.bat.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydjgrBUVZiNXwd" /XML "C:\Users\user\AppData\Local\Temp\tmp714E.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\New order.bat.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: New order.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: New order.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, wlMuNfYU9ETTr7SmU1.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, wlMuNfYU9ETTr7SmU1.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.New order.bat.exe.7730000.8.raw.unpack, wlMuNfYU9ETTr7SmU1.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.New order.bat.exe.2df20f0.0.raw.unpack, fJ.cs .Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.New order.bat.exe.7770000.10.raw.unpack, fJ.cs .Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
.NET source code contains potential unpacker
Source: New order.bat.exe, AutoCentreForm.cs .Net Code: InitializeComponent
Source: ydjgrBUVZiNXwd.exe.0.dr, AutoCentreForm.cs .Net Code: InitializeComponent
Source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, Architectural.cs .Net Code: Justy
Source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, Architectural.cs .Net Code: BfZIR9eYv System.Reflection.Assembly.Load(byte[])
Source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, Architectural.cs .Net Code: Justy
Source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, Architectural.cs .Net Code: BfZIR9eYv System.Reflection.Assembly.Load(byte[])
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, KMZs7584nnwtUfNmc3.cs .Net Code: inKtmjb1fn System.Reflection.Assembly.Load(byte[])
Source: 0.2.New order.bat.exe.7730000.8.raw.unpack, Architectural.cs .Net Code: Justy
Source: 0.2.New order.bat.exe.7730000.8.raw.unpack, Architectural.cs .Net Code: BfZIR9eYv System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 0_2_078731B7 pushfd ; iretd 0_2_078731BA
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_01780C3D push edi; ret 8_2_01780CC2
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_01780C95 push edi; retf 8_2_01780C3A
Source: C:\Users\user\Desktop\New order.bat.exe Code function: 8_2_06DC69C6 pushfd ; iretd 8_2_06DC69C8
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E19793 push eax; iretd 9_2_04E19796
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E16063 push ecx; retf 9_2_04E16064
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E16050 push ecx; retf 9_2_04E16051
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E1A37F pushad ; ret 9_2_04E1A386
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E1A349 pushfd ; ret 9_2_04E1A34A
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_04E12960 push eax; ret 9_2_04E12961
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA5E4B push es; ret 9_2_06CA5E50
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA5DBB push es; iretd 9_2_06CA5DBC
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA5D3F push es; retf 9_2_06CA5D40
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA5BD1 push es; iretd 9_2_06CA5BD4
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA5B2D push es; iretd 9_2_06CA5B30
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA58D3 push es; ret 9_2_06CA58E4
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA5887 push es; ret 9_2_06CA58E4
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA59F3 push es; ret 9_2_06CA59F8
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA59B9 push es; iretd 9_2_06CA59BC
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 9_2_06CA31B7 pushfd ; iretd 9_2_06CA31BA
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Code function: 15_2_033B0C3D push edi; ret 15_2_033B0CC2
Source: New order.bat.exe Static PE information: section name: .text entropy: 7.971094343728935
Source: ydjgrBUVZiNXwd.exe.0.dr Static PE information: section name: .text entropy: 7.971094343728935
Source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, ybbGOTR1N80dNbk6Yv.cs High entropy of concatenated method names: 'obcHojbACJ', 'YnKHTkWS94', 'V3UHNmonbN', 'AuPHVudqss', 'SJBHWK3PRm', 'wkNHA4K7Me', 'L35Hyg9bdX', 'n89HDZAL4k', 'OepHGjo5FD', 'MoeHJmlv16'
Source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, LinkedList.cs High entropy of concatenated method names: 'mn8lVDqlu', 'Uxue7aya3', 'KsFMnxhPk', 'ruSPXGSHZ', 'tdQBaRbij', 'ApGpyUtBu', 'Bm5j1f22p4rvC7Eu0G', 'yNLEN1RWrWr7H8C9D4', 'Dispose', 'MoveNext'
Source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, Architectural.cs High entropy of concatenated method names: 'Sort', 'Sort', 'u3bDyB9EB', 'jnVG6G0sx', 'NAaJ4PRFw', 'RestoreOriginalBitmap', 'Justy', 'mtp2IE8Nv', 'BfZIR9eYv', 'LowestBreakIteration'
Source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, MainForm.cs High entropy of concatenated method names: 'QEHEJ0ZEc', 'xWtkSmxXM', 'uUSoOZRtA', 'Dispose', 'yeRTIpRwj', 'r1YXj5fPVZm4y3Ug3f', 'K4LEmEBCcbAGHf4JhV', 'V6KVEyrTgoasGeD8Zb', 'ymWMMfbpAnyZ7dSZbA', 'IhZliPvmPYrV1280b1'
Source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, wlMuNfYU9ETTr7SmU1.cs High entropy of concatenated method names: 'vB7dgYlwIB5e4GotdD', 'h1qusDERcT8AOZTJmN', 'O9t3jXtovErCbWCOlE', 'QkAH1cPp6G', 'RgtTUJcyZL', 's7mHwaN5MT', 'n3AHmM6wxu', 'TUlH3q3EyS', 'XPxHXcdE1G', 'gX3mZCcRjff06'
Source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, ybbGOTR1N80dNbk6Yv.cs High entropy of concatenated method names: 'obcHojbACJ', 'YnKHTkWS94', 'V3UHNmonbN', 'AuPHVudqss', 'SJBHWK3PRm', 'wkNHA4K7Me', 'L35Hyg9bdX', 'n89HDZAL4k', 'OepHGjo5FD', 'MoeHJmlv16'
Source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, LinkedList.cs High entropy of concatenated method names: 'mn8lVDqlu', 'Uxue7aya3', 'KsFMnxhPk', 'ruSPXGSHZ', 'tdQBaRbij', 'ApGpyUtBu', 'Bm5j1f22p4rvC7Eu0G', 'yNLEN1RWrWr7H8C9D4', 'Dispose', 'MoveNext'
Source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, Architectural.cs High entropy of concatenated method names: 'Sort', 'Sort', 'u3bDyB9EB', 'jnVG6G0sx', 'NAaJ4PRFw', 'RestoreOriginalBitmap', 'Justy', 'mtp2IE8Nv', 'BfZIR9eYv', 'LowestBreakIteration'
Source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, MainForm.cs High entropy of concatenated method names: 'QEHEJ0ZEc', 'xWtkSmxXM', 'uUSoOZRtA', 'Dispose', 'yeRTIpRwj', 'r1YXj5fPVZm4y3Ug3f', 'K4LEmEBCcbAGHf4JhV', 'V6KVEyrTgoasGeD8Zb', 'ymWMMfbpAnyZ7dSZbA', 'IhZliPvmPYrV1280b1'
Source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, wlMuNfYU9ETTr7SmU1.cs High entropy of concatenated method names: 'vB7dgYlwIB5e4GotdD', 'h1qusDERcT8AOZTJmN', 'O9t3jXtovErCbWCOlE', 'QkAH1cPp6G', 'RgtTUJcyZL', 's7mHwaN5MT', 'n3AHmM6wxu', 'TUlH3q3EyS', 'XPxHXcdE1G', 'gX3mZCcRjff06'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, l6qPMVdMX6BfPdwIDQ.cs High entropy of concatenated method names: 'LKtbrWZgSY', 'qrIbG33LxS', 'X6hbE2VckT', 'DNpb7bPZNe', 'VHSbNmocvS', 'Po3bB3uLEM', 'TFBb6Mm0MD', 'vMqb8LErvM', 'fsKbkw6ecy', 'iw4bHfDx8D'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, NJjLR4enOfQShdG3Ge.cs High entropy of concatenated method names: 'y0XaCWvLCu', 'YAyaS3Obx3', 'bKmamnUYf7', 'RRsarAId9E', 'R67aiW6881', 'wGGaG84L1o', 'E7UaF8FpLx', 'HbAaEn6Acq', 'S4Xa7Nk3gY', 'lqmaqHhUih'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, dXqULNtLGnDfQBQy6rC.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hTyHIRN9kK', 'rUcHuFvdEf', 'HoxHJOpKAu', 'Q7gHLZAr9J', 'VIlH0qFUdA', 'Pw4HpbXXa7', 'PcjHvgXeGl'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, bU1bgWlRvNyOUhlEYx.cs High entropy of concatenated method names: 'ktQ8YWlF3a', 'AVV8W4T9oJ', 'Yg98bqi4Vg', 'tHg8dIcXcF', 'rqH82J7B3D', 'LlG8a3rAwT', 'Qsg8363qkL', 'DjP8MigCmN', 'NRH8QfgI5g', 'unR8gYZCqn'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, XcUeDkHp4sP8jOhTp3.cs High entropy of concatenated method names: 'ByD6QoC1ED', 'IiN6gODnUP', 'ToString', 'kfe6YcQv57', 'lrj6WGocly', 'mjr6bVhSLB', 'HnX6dLigNd', 'O2F62uBRZf', 'elP6avI0HG', 'icj63nwuYx'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, GZ03kWPOeZFvD7CUcp.cs High entropy of concatenated method names: 'aNNaYfTAwT', 'T4vabPets0', 'Boma26u8Fo', 'VwD2Ug8rSB', 'm9d2zHFoaW', 'f47aXDtwDG', 'CQYa4qPkCq', 'iFbaK8P4ys', 'M10aen7hhR', 'Y8gat0l2EP'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, LasBlFX9WeUamN5FNp.cs High entropy of concatenated method names: 'Sla8ApAdiG', 'S4e8y5Q5Mw', 'tqO8cbGnfm', 'nTL816hyY9', 'Hnd8IiGBvc', 'p2o8j0gRTe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, KMZs7584nnwtUfNmc3.cs High entropy of concatenated method names: 's8WelPHu96', 'j2SeYI4ADl', 'cgueWtvpjl', 'My9ebV7IeH', 'gTUedcPir0', 'lSMe2HWor0', 'lfleah4oPw', 'e92e3RTkoP', 'byfeMrFwjR', 'WWSeQb8OTW'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, VSjCVTUSvXmKiWKROb.cs High entropy of concatenated method names: 'zyf4aNKf4T', 'WX743I2TiI', 'ALr4Q1uo8u', 'HAc4gWagON', 'VQv4NPNANp', 'tl14BSfoyG', 'VCwJVUFwZTGYImBiLh', 'xQFaaSgyJrLbvxrMvW', 'W1944pKakK', 'TYC4eLvV8K'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, rk41rkzCpdNCSQGOjm.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'psQk9ZtsKX', 'v4CkNecm1r', 'Mp3kBHEVBT', 'y3fk62F7q7', 'tj2k8E4cbN', 'KhKkktoCLY', 'CFlkHLBc6G'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, BGLpFjSc98sNVM64iG.cs High entropy of concatenated method names: 'ToString', 'VDNBwDRT1p', 'JN7ByItTOB', 'evpBcyMog8', 'HeqB1MJXCu', 'ymdBjJY7Qe', 'cUrBxcnBSh', 'zMSBR3ueGC', 'dHJBO0gLHh', 'dlXBPZLFBK'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, sUlvCO3eplMJYWNb3X.cs High entropy of concatenated method names: 'yKGdihuIhg', 'iFHdFRbRn3', 'eARbc2Ja8r', 'fusb1D6SRT', 'V4IbjWuwMV', 'XfLbxMkiZ3', 'gEGbRgEeZr', 'oxVbOa4lCd', 'LrabPIlG14', 'If4bTrGwEN'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, y2hVBpNjKBbxIBUPVc.cs High entropy of concatenated method names: 'DHek48pqhS', 'HuRkewXNTI', 'KC2ktDmrrP', 'soTkYxAj8s', 'qKTkWpLnpJ', 'vjxkdd7d2v', 'RAwk2UXbvr', 'F0O8vvvYf4', 'wdY8nKKose', 'hyt8VNBY8M'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, faXMEMw5RushDJjtyT.cs High entropy of concatenated method names: 'Dispose', 'lpH4Ve95vb', 'lrBKy4tC1P', 'MrXhhlTqMl', 'LX44UgVvuj', 'BFQ4zst0gp', 'ProcessDialogKey', 'qxaKXLDhTH', 'M8gK4ywHPG', 'INpKK1VICj'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, nEZIrPqLaxk19D94ha.cs High entropy of concatenated method names: 'mPW6nN8GVU', 'cir6UkCWUr', 'QBw8XJOsGy', 'Oel84eP29X', 'G3X6w49cka', 'BfW6Dl9qed', 'uvX6fI5sak', 'Fwg6Ie9Btg', 'OKZ6uJkfN2', 'lb66JUJdpZ'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, ViwSJLh4wh9R6qppRy.cs High entropy of concatenated method names: 'S2umvCokE', 'm9ArOXSia', 'f0MG9uu2N', 'KcEFKj6id', 'anq7w4xPt', 'xM0qk18Kr', 'hc8YXusVau9Wgsfqsj', 'DAm3GTlukwKtbhUXlV', 'Ib78cOfZs', 'kwSHgLYEY'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, chdK2lBdt6DGDO5QTm.cs High entropy of concatenated method names: 'K9w9EIUNrG', 'UT497XJXTv', 'Cos9AZP79r', 'zEO9y2VRH8', 'VR491kVxZo', 'MxP9jEDgRh', 'JZ49RJb4ZB', 'mbZ9OxutXJ', 'eVI9TpH1uN', 'L8p9wP02wJ'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, v8pBoexsCTZvPac9Dh.cs High entropy of concatenated method names: 'K4KfZ16tlnaUXk1anGf', 'PiOQYy6rwKbANDY1B0X', 'CJG28Kf0cF', 'Xtd2kFooUs', 'hm12HZ7N2h', 'GAywel6cMBjBr96RWlb', 'ThGE7E615VW6UCRvgte'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, HQEor7JLsfuGa3kcR3.cs High entropy of concatenated method names: 'UhwWIXj5du', 'X4HWuA9fuv', 'VnsWJOICbT', 'CmYWLENhqB', 'kGKW0T3OW6', 'ls7WpxxWtO', 'PkGWvVZMnA', 'rqWWnyD861', 'XcHWVQOww3', 'wQFWUSsQQ6'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, jwNYgSRoli37F24KtC.cs High entropy of concatenated method names: 'j212lhngkQ', 'EHE2WwODOx', 'InZ2ddVRGg', 'RYi2av9Z8W', 'O8623ICab1', 'JDwd0hZvLW', 'lPodprtlcZ', 'ApTdvoKcY3', 'lqudnSVKEm', 'A4RdV8fi5x'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, LMYQkWtvFG9jRIfNKLA.cs High entropy of concatenated method names: 'RkikCLVCQ2', 'vTrkSerbEa', 'tWUkmNwoRQ', 'ExXkrVZV67', 'bWikiekJKi', 'Rk6kGevApE', 'OOZkFAIXp8', 'zDtkEV2mAC', 'sjfk7gyQEU', 'ltPkqmikpy'
Source: 0.2.New order.bat.exe.41df328.2.raw.unpack, xagmt3ZZEPbDShpFjP.cs High entropy of concatenated method names: 'HWQ2sr7TFl', 'CPf2CL3q1D', 'zjO2mxZYNU', 'JLc2rWQ2nm', 'pHS2GDB7cb', 'vY32FVZi1N', 'KGh27HvUWK', 'SdY2qxvTk2', 'Bw4uUH6NgMadeWgYS8h', 'nHAEa56CIjh9mONdJAl'
Source: 0.2.New order.bat.exe.7730000.8.raw.unpack, ybbGOTR1N80dNbk6Yv.cs High entropy of concatenated method names: 'obcHojbACJ', 'YnKHTkWS94', 'V3UHNmonbN', 'AuPHVudqss', 'SJBHWK3PRm', 'wkNHA4K7Me', 'L35Hyg9bdX', 'n89HDZAL4k', 'OepHGjo5FD', 'MoeHJmlv16'
Source: 0.2.New order.bat.exe.7730000.8.raw.unpack, LinkedList.cs High entropy of concatenated method names: 'mn8lVDqlu', 'Uxue7aya3', 'KsFMnxhPk', 'ruSPXGSHZ', 'tdQBaRbij', 'ApGpyUtBu', 'Bm5j1f22p4rvC7Eu0G', 'yNLEN1RWrWr7H8C9D4', 'Dispose', 'MoveNext'
Source: 0.2.New order.bat.exe.7730000.8.raw.unpack, Architectural.cs High entropy of concatenated method names: 'Sort', 'Sort', 'u3bDyB9EB', 'jnVG6G0sx', 'NAaJ4PRFw', 'RestoreOriginalBitmap', 'Justy', 'mtp2IE8Nv', 'BfZIR9eYv', 'LowestBreakIteration'
Source: 0.2.New order.bat.exe.7730000.8.raw.unpack, MainForm.cs High entropy of concatenated method names: 'QEHEJ0ZEc', 'xWtkSmxXM', 'uUSoOZRtA', 'Dispose', 'yeRTIpRwj', 'r1YXj5fPVZm4y3Ug3f', 'K4LEmEBCcbAGHf4JhV', 'V6KVEyrTgoasGeD8Zb', 'ymWMMfbpAnyZ7dSZbA', 'IhZliPvmPYrV1280b1'
Source: 0.2.New order.bat.exe.7730000.8.raw.unpack, wlMuNfYU9ETTr7SmU1.cs High entropy of concatenated method names: 'vB7dgYlwIB5e4GotdD', 'h1qusDERcT8AOZTJmN', 'O9t3jXtovErCbWCOlE', 'QkAH1cPp6G', 'RgtTUJcyZL', 's7mHwaN5MT', 'n3AHmM6wxu', 'TUlH3q3EyS', 'XPxHXcdE1G', 'gX3mZCcRjff06'
Source: 0.2.New order.bat.exe.2df20f0.0.raw.unpack, fJ.cs High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Source: 0.2.New order.bat.exe.7770000.10.raw.unpack, fJ.cs High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Drops PE files
Source: C:\Users\user\Desktop\New order.bat.exe File created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydjgrBUVZiNXwd" /XML "C:\Users\user\AppData\Local\Temp\tmp6538.tmp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\New order.bat.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: New order.bat.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ydjgrBUVZiNXwd.exe PID: 7924, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New order.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: 1460000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: 2DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: 4DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: 7C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: 8C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: 8E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: 9E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: 1780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: 31D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: 51D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory allocated: DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory allocated: 2820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory allocated: 4820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory allocated: 71B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory allocated: 81B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory allocated: 8350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory allocated: 9350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory allocated: 1A10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory allocated: 3420000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory allocated: 1A10000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199889 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199782 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199657 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199547 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199438 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199313 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199188 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199063 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198938 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198827 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198719 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198594 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198484 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198376 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198251 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198126 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198001 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197876 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197751 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197626 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197501 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197376 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197251 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197126 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197001 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1196876 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1196751 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1196626 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1196501 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1196376 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199937
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199828
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199718
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199609
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199499
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199390
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199281
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199171
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199060
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198953
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198843
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198734
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198624
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198515
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198406
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198296
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198187
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198078
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197968
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197859
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197749
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197640
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197531
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197421
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197312
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197202
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197093
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196983
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196874
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196765
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196655
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196546
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196437
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196327
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4181 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5193 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Window / User API: threadDelayed 3050 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Window / User API: threadDelayed 6770 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Window / User API: threadDelayed 8908
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Window / User API: threadDelayed 949
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New order.bat.exe TID: 7452 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7720 Thread sleep count: 4181 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7720 Thread sleep count: 249 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7916 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8100 Thread sleep count: 3050 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8100 Thread sleep count: 6770 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -99781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -99671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -99562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -99343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -99234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -99125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -99015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -98906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -98796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -98687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -98578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -98468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -98353s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -98140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -98031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1199889s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1199782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1199657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1199547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1199438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1199313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1199188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1199063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1198938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1198827s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1198719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1198594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1198484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1198376s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1198251s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1198126s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1198001s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1197876s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1197751s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1197626s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1197501s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1197376s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1197251s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1197126s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1197001s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1196876s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1196751s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1196626s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1196501s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe TID: 8092 Thread sleep time: -1196376s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 8004 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7628 Thread sleep count: 8908 > 30
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7628 Thread sleep count: 949 > 30
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -99325s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -98777s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -98671s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -98343s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1199937s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1199828s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1199718s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1199609s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1199499s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1199390s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1199281s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1199171s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1199060s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1198953s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1198843s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1198734s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1198624s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1198515s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1198406s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1198296s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1198187s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1198078s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1197968s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1197859s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1197749s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1197640s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1197531s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1197421s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1197312s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1197202s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1197093s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1196983s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1196874s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1196765s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1196655s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1196546s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1196437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe TID: 7624 Thread sleep time: -1196327s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New order.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\New order.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New order.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 99671 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 99343 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 99125 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 99015 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 98906 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 98796 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 98687 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 98578 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 98468 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 98353 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 98140 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 98031 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199889 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199782 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199657 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199547 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199438 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199313 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199188 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1199063 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198938 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198827 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198719 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198594 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198484 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198376 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198251 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198126 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1198001 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197876 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197751 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197626 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197501 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197376 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197251 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197126 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1197001 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1196876 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1196751 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1196626 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1196501 Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Thread delayed: delay time: 1196376 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 99325
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 98777
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 98671
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 98453
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 98343
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199937
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199828
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199718
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199609
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199499
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199390
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199281
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199171
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1199060
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198953
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198843
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198734
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198624
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198515
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198406
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198296
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198187
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1198078
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197968
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197859
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197749
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197640
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197531
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197421
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197312
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197202
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1197093
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196983
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196874
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196765
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196655
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196546
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196437
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Thread delayed: delay time: 1196327
Source: ydjgrBUVZiNXwd.exe, 00000009.00000002.1781757709.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ydjgrBUVZiNXwd.exe, 0000000F.00000002.4154715497.000000000162C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: New order.bat.exe, 00000008.00000002.4155426660.00000000014E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\New order.bat.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\New order.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New order.bat.exe
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New order.bat.exe Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Memory written: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New order.bat.exe Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydjgrBUVZiNXwd" /XML "C:\Users\user\AppData\Local\Temp\tmp6538.tmp Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Process created: C:\Users\user\Desktop\New order.bat.exe C:\Users\user\Desktop\New order.bat.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydjgrBUVZiNXwd" /XML "C:\Users\user\AppData\Local\Temp\tmp714E.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Process created: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Users\user\Desktop\New order.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Users\user\Desktop\New order.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\New order.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.New order.bat.exe.419d928.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.419d928.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.4162d08.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4156694586.0000000003247000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4156694586.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749230830.0000000004A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4157102606.0000000003497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4154105782.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4157102606.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749230830.00000000040CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New order.bat.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: New order.bat.exe PID: 7880, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ydjgrBUVZiNXwd.exe PID: 7172, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.New order.bat.exe.7770000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3df37b0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.2df20f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.7730000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ydjgrBUVZiNXwd.exe.2852128.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.2de20e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ydjgrBUVZiNXwd.exe.2852128.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.7730000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.2de20e4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3db9970.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3df37b0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ydjgrBUVZiNXwd.exe.2862134.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ydjgrBUVZiNXwd.exe.2862134.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.7770000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3dd3790.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.2df20f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1748858370.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1782769208.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1752881320.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749230830.0000000003DF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1782769208.0000000002862000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749230830.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1748858370.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1752743151.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\New order.bat.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\New order.bat.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\New order.bat.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ydjgrBUVZiNXwd.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.New order.bat.exe.419d928.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.419d928.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.4162d08.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4156694586.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749230830.0000000004A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4154105782.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4157102606.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749230830.00000000040CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New order.bat.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: New order.bat.exe PID: 7880, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ydjgrBUVZiNXwd.exe PID: 7172, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.New order.bat.exe.419d928.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.419d928.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.4162d08.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.4162d08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4156694586.0000000003247000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4156694586.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749230830.0000000004A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4157102606.0000000003497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4154105782.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4157102606.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749230830.00000000040CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: New order.bat.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: New order.bat.exe PID: 7880, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ydjgrBUVZiNXwd.exe PID: 7172, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.New order.bat.exe.7770000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3df37b0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3dd3790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.2df20f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.7730000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ydjgrBUVZiNXwd.exe.2852128.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.2de20e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ydjgrBUVZiNXwd.exe.2852128.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.7730000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.2de20e4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3db9970.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3df37b0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ydjgrBUVZiNXwd.exe.2862134.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ydjgrBUVZiNXwd.exe.2862134.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.7770000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3dd3790.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.3db9970.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New order.bat.exe.2df20f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1748858370.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1782769208.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1752881320.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749230830.0000000003DF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1782769208.0000000002862000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749230830.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1748858370.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1752743151.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1396488 Sample: New order.bat.exe Startdate: 21/02/2024 Architecture: WINDOWS Score: 100 46 mail.elec-qatar.com 2->46 48 api.ipify.org 2->48 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 15 other signatures 2->60 8 ydjgrBUVZiNXwd.exe 5 2->8         started        11 New order.bat.exe 7 2->11         started        signatures3 process4 file5 62 Multi AV Scanner detection for dropped file 8->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->64 66 Machine Learning detection for dropped file 8->66 68 Injects a PE file into a foreign processes 8->68 14 ydjgrBUVZiNXwd.exe 8->14         started        17 schtasks.exe 8->17         started        19 ydjgrBUVZiNXwd.exe 8->19         started        21 ydjgrBUVZiNXwd.exe 8->21         started        42 C:\Users\user\AppData\...\ydjgrBUVZiNXwd.exe, PE32 11->42 dropped 44 C:\Users\user\AppData\Local\...\tmp6538.tmp, XML 11->44 dropped 70 Adds a directory exclusion to Windows Defender 11->70 23 New order.bat.exe 15 2 11->23         started        26 powershell.exe 23 11->26         started        28 powershell.exe 23 11->28         started        30 schtasks.exe 1 11->30         started        signatures6 process7 dnsIp8 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->72 74 Tries to steal Mail credentials (via file / registry access) 14->74 76 Tries to harvest and steal browser information (history, passwords, etc) 14->76 32 conhost.exe 17->32         started        50 mail.elec-qatar.com 50.87.139.143, 49735, 49739, 587 UNIFIEDLAYER-AS-1US United States 23->50 52 api.ipify.org 104.26.12.205, 443, 49734, 49738 CLOUDFLARENETUS United States 23->52 78 Installs a global keyboard hook 23->78 34 conhost.exe 26->34         started        36 WmiPrvSE.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
50.87.139.143
 mail.elec-qatar.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
api.ipify.org 104.26.12.205 true
mail.elec-qatar.com 50.87.139.143 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high