Windows Analysis Report
VN24A02765.PDF.exe

Overview

General Information

Sample name: VN24A02765.PDF.exe
Analysis ID: 1429032
MD5: a65065c3cda87338428330b2912597b9
SHA1: dddf8e014e6eb0f98199a6d5f6b09f70fdef4ae0
SHA256: e67c69055ea1d00cf415d8e67faa2460972ec03a0b49954f085f7741c101d298
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 15.2.BjTxJte.exe.4a9a650.0.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.flexwelltour.com", "Username": "info@flexwelltour.com", "Password": "w$5DC?c5"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Virustotal: Detection: 55% Perma Link
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Virustotal: Detection: 55% Perma Link
Multi AV Scanner detection for submitted file
Source: VN24A02765.PDF.exe ReversingLabs: Detection: 63%
Source: VN24A02765.PDF.exe Virustotal: Detection: 55% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: VN24A02765.PDF.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: VN24A02765.PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: VN24A02765.PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: bBFSZ.pdbSHA256 source: VN24A02765.PDF.exe, bSQtuQYbAR.exe.0.dr, BjTxJte.exe.9.dr
Source: Binary string: bBFSZ.pdb source: VN24A02765.PDF.exe, bSQtuQYbAR.exe.0.dr, BjTxJte.exe.9.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 4x nop then jmp 07BDCA6Eh 10_2_07BDC099
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 4x nop then jmp 07BCCA6Eh 21_2_07BCC099
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 94.199.200.238:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 94.199.200.238:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: VN24A02765.PDF.exe, 00000009.00000002.4462904487.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, VN24A02765.PDF.exe, 00000009.00000002.4462904487.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, VN24A02765.PDF.exe, 00000009.00000002.4462904487.000000000303F000.00000004.00000800.00020000.00000000.sdmp, VN24A02765.PDF.exe, 00000009.00000002.4462904487.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000E.00000002.4463937161.00000000034A2000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000E.00000002.4463937161.000000000348A000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.4461178169.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.4461178169.0000000002F14000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.00000000029FC000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://flexwelltour.com
Source: VN24A02765.PDF.exe, 00000009.00000002.4462904487.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, VN24A02765.PDF.exe, 00000009.00000002.4462904487.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, VN24A02765.PDF.exe, 00000009.00000002.4462904487.000000000303F000.00000004.00000800.00020000.00000000.sdmp, VN24A02765.PDF.exe, 00000009.00000002.4462904487.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000E.00000002.4463937161.00000000034A2000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000E.00000002.4463937161.000000000348A000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.4461178169.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.4461178169.0000000002F14000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.00000000029FC000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.flexwelltour.com
Source: VN24A02765.PDF.exe, 00000000.00000002.2054440059.0000000002BE7000.00000004.00000800.00020000.00000000.sdmp, VN24A02765.PDF.exe, 00000009.00000002.4462904487.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000A.00000002.2105586489.0000000002584000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000E.00000002.4463937161.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000000F.00000002.2216783794.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.4461178169.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000015.00000002.2284974269.000000000240A000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.000000000298C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VN24A02765.PDF.exe, bSQtuQYbAR.exe.0.dr, BjTxJte.exe.9.dr String found in binary or memory: http://tempuri.org/x.xsd?MultiGames.Properties.Resources
Source: VN24A02765.PDF.exe, 00000000.00000002.2055071767.0000000004A2E000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000A.00000002.2107341426.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000000F.00000002.2219378794.0000000004A5F000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.4454549377.0000000000436000.00000040.00000400.00020000.00000000.sdmp, BjTxJte.exe, 00000015.00000002.2292150446.000000000424F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: VN24A02765.PDF.exe, 00000000.00000002.2055071767.0000000004A2E000.00000004.00000800.00020000.00000000.sdmp, VN24A02765.PDF.exe, 00000009.00000002.4462904487.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000A.00000002.2107341426.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000E.00000002.4463937161.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000000F.00000002.2219378794.0000000004A5F000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.4461178169.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000015.00000002.2292150446.000000000424F000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4454509753.000000000042E000.00000040.00000400.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.000000000298C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: VN24A02765.PDF.exe, 00000009.00000002.4462904487.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000E.00000002.4463937161.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.4461178169.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.000000000298C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: VN24A02765.PDF.exe, 00000009.00000002.4462904487.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000E.00000002.4463937161.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.4461178169.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4462755266.000000000298C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: VN24A02765.PDF.exe, bSQtuQYbAR.exe.0.dr, BjTxJte.exe.9.dr String found in binary or memory: https://github.com/zuppao).
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49718 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, cPKWk.cs .Net Code: O7h
Installs a global keyboard hook
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\VN24A02765.PDF.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.bSQtuQYbAR.exe.3634928.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.BjTxJte.exe.4a5f430.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.VN24A02765.PDF.exe.4a69dc0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 21.2.BjTxJte.exe.424f8f0.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 21.2.BjTxJte.exe.428ab10.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.BjTxJte.exe.4a9a650.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.bSQtuQYbAR.exe.35f9708.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.bSQtuQYbAR.exe.35f9708.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.BjTxJte.exe.4a5f430.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 21.2.BjTxJte.exe.428ab10.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 15.2.BjTxJte.exe.4a9a650.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.bSQtuQYbAR.exe.3634928.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.VN24A02765.PDF.exe.4a69dc0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 21.2.BjTxJte.exe.424f8f0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.VN24A02765.PDF.exe.51a0000.4.raw.unpack, LoginForm.cs Large array initialization: : array initializer size 33603
.NET source code contains very large strings
Source: VN24A02765.PDF.exe, Form1.cs Long String: Length: 131612
Source: bSQtuQYbAR.exe.0.dr, Form1.cs Long String: Length: 131612
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: VN24A02765.PDF.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_00D9DC74 0_2_00D9DC74
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_02A96CC8 0_2_02A96CC8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_02A90006 0_2_02A90006
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_02A90040 0_2_02A90040
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_02A96CB8 0_2_02A96CB8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_050877F0 0_2_050877F0
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508C6D0 0_2_0508C6D0
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05089990 0_2_05089990
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508C9E8 0_2_0508C9E8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05088AE0 0_2_05088AE0
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05088533 0_2_05088533
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05088540 0_2_05088540
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508F580 0_2_0508F580
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508F590 0_2_0508F590
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508A40B 0_2_0508A40B
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05087790 0_2_05087790
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508C6C1 0_2_0508C6C1
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508B6DB 0_2_0508B6DB
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508B6E8 0_2_0508B6E8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05088068 0_2_05088068
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05088078 0_2_05088078
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508BC91 0_2_0508BC91
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508994D 0_2_0508994D
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508D950 0_2_0508D950
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508C9D9 0_2_0508C9D9
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508A820 0_2_0508A820
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508A830 0_2_0508A830
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_050868C9 0_2_050868C9
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_050868D8 0_2_050868D8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05081B5A 0_2_05081B5A
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05081B60 0_2_05081B60
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508BA48 0_2_0508BA48
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_0508BA58 0_2_0508BA58
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05088AD3 0_2_05088AD3
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012DE188 9_2_012DE188
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D41F8 9_2_012D41F8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012DA998 9_2_012DA998
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012DEB17 9_2_012DEB17
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D4AC8 9_2_012D4AC8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012DADE8 9_2_012DADE8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D3EB0 9_2_012D3EB0
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D41EC 9_2_012D41EC
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D19F0 9_2_012D19F0
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D3EA4 9_2_012D3EA4
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06B23468 9_2_06B23468
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06B255A8 9_2_06B255A8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06B265C0 9_2_06B265C0
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06B27D40 9_2_06B27D40
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06B2B1F8 9_2_06B2B1F8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06B27660 9_2_06B27660
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06B25CAB 9_2_06B25CAB
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06B2E378 9_2_06B2E378
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06B20040 9_2_06B20040
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06C1F040 9_2_06C1F040
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06C11FE2 9_2_06C11FE2
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06C11FE8 9_2_06C11FE8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06B20006 9_2_06B20006
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_0252DC74 10_2_0252DC74
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04A86CC8 10_2_04A86CC8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04A80006 10_2_04A80006
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04A80040 10_2_04A80040
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04A86CB8 10_2_04A86CB8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5C6D0 10_2_04B5C6D0
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B577F0 10_2_04B577F0
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B59990 10_2_04B59990
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5C9E8 10_2_04B5C9E8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B58AE0 10_2_04B58AE0
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5A409 10_2_04B5A409
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5F590 10_2_04B5F590
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5F580 10_2_04B5F580
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B58532 10_2_04B58532
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B58540 10_2_04B58540
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5B6E8 10_2_04B5B6E8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5B6D8 10_2_04B5B6D8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5C6C1 10_2_04B5C6C1
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B57790 10_2_04B57790
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B58078 10_2_04B58078
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B58068 10_2_04B58068
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5BC91 10_2_04B5BC91
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B568D8 10_2_04B568D8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B568C9 10_2_04B568C9
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5A830 10_2_04B5A830
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5A820 10_2_04B5A820
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5C9D9 10_2_04B5C9D9
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B59902 10_2_04B59902
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5D940 10_2_04B5D940
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B58AD2 10_2_04B58AD2
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5BA58 10_2_04B5BA58
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B5BA48 10_2_04B5BA48
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B51B60 10_2_04B51B60
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B51B4F 10_2_04B51B4F
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_07BD63F8 10_2_07BD63F8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_07BD8FC8 10_2_07BD8FC8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_07BD6C68 10_2_07BD6C68
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_07BD6C58 10_2_07BD6C58
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_07BDE920 10_2_07BDE920
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_07BD8908 10_2_07BD8908
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_07BD6830 10_2_07BD6830
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_07BD6820 10_2_07BD6820
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_0195E188 14_2_0195E188
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_019541F8 14_2_019541F8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_0195A998 14_2_0195A998
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_0195EB80 14_2_0195EB80
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_01954AC8 14_2_01954AC8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_0195ADF0 14_2_0195ADF0
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_01953EB0 14_2_01953EB0
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_019541EC 14_2_019541EC
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_019519F0 14_2_019519F0
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_01954ABE 14_2_01954ABE
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_01953EA4 14_2_01953EA4
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_07072758 14_2_07072758
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_07077D38 14_2_07077D38
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_070755A0 14_2_070755A0
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_070765B8 14_2_070765B8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_0707B200 14_2_0707B200
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_07077658 14_2_07077658
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_07075CB8 14_2_07075CB8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_0707E370 14_2_0707E370
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_07070040 14_2_07070040
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_07161F80 14_2_07161F80
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_07161FE8 14_2_07161FE8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_07070006 14_2_07070006
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_02A2DC74 15_2_02A2DC74
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_05176CC8 15_2_05176CC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_05170040 15_2_05170040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_05176CB8 15_2_05176CB8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A77F0 15_2_051A77F0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AC6D0 15_2_051AC6D0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A9990 15_2_051A9990
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AC9E8 15_2_051AC9E8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A8AE0 15_2_051A8AE0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A8532 15_2_051A8532
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A8540 15_2_051A8540
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AF590 15_2_051AF590
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AF580 15_2_051AF580
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AA409 15_2_051AA409
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A7790 15_2_051A7790
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AB6D8 15_2_051AB6D8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AC6C1 15_2_051AC6C1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AB6E8 15_2_051AB6E8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A8028 15_2_051A8028
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A8078 15_2_051A8078
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A8068 15_2_051A8068
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051ABC91 15_2_051ABC91
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AD950 15_2_051AD950
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A994D 15_2_051A994D
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AC9D9 15_2_051AC9D9
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AA830 15_2_051AA830
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051AA820 15_2_051AA820
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A68D8 15_2_051A68D8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A68C9 15_2_051A68C9
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A1B4F 15_2_051A1B4F
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A1B60 15_2_051A1B60
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051ABA58 15_2_051ABA58
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051ABA48 15_2_051ABA48
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A8AD2 15_2_051A8AD2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_014A41F8 20_2_014A41F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_014AA878 20_2_014AA878
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_014A4AC8 20_2_014A4AC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_014AACD0 20_2_014AACD0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_014A3EB0 20_2_014A3EB0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_014A7B05 20_2_014A7B05
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06B43468 20_2_06B43468
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06B455A8 20_2_06B455A8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06B4B1F8 20_2_06B4B1F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06B465C0 20_2_06B465C0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06B47D40 20_2_06B47D40
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06B47660 20_2_06B47660
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06B4E378 20_2_06B4E378
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06B45CAB 20_2_06B45CAB
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06B40040 20_2_06B40040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06C31DC5 20_2_06C31DC5
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06C31DC8 20_2_06C31DC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_06B40006 20_2_06B40006
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 21_2_0221DC74 21_2_0221DC74
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 21_2_07BC63F8 21_2_07BC63F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 21_2_07BC8FC8 21_2_07BC8FC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 21_2_07BC6C68 21_2_07BC6C68
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 21_2_07BC6C58 21_2_07BC6C58
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 21_2_07BCE920 21_2_07BCE920
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 21_2_07BC8908 21_2_07BC8908
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 21_2_07BC88F7 21_2_07BC88F7
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 21_2_07BC6830 21_2_07BC6830
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 21_2_07BC682D 21_2_07BC682D
Sample file is different than original file name gathered from version info
Source: VN24A02765.PDF.exe, 00000000.00000002.2059556463.0000000008510000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs VN24A02765.PDF.exe
Source: VN24A02765.PDF.exe, 00000000.00000000.1995657727.0000000000662000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamebBFSZ.exe< vs VN24A02765.PDF.exe
Source: VN24A02765.PDF.exe, 00000000.00000002.2058137016.00000000051A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs VN24A02765.PDF.exe
Source: VN24A02765.PDF.exe, 00000000.00000002.2053461534.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs VN24A02765.PDF.exe
Source: VN24A02765.PDF.exe, 00000000.00000002.2054440059.0000000002BE7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename3a3d57e0-9612-4728-98de-585016f919fc.exe4 vs VN24A02765.PDF.exe
Source: VN24A02765.PDF.exe, 00000000.00000002.2055071767.0000000004A2E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename3a3d57e0-9612-4728-98de-585016f919fc.exe4 vs VN24A02765.PDF.exe
Source: VN24A02765.PDF.exe, 00000000.00000002.2055071767.0000000004615000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs VN24A02765.PDF.exe
Source: VN24A02765.PDF.exe, 00000009.00000002.4455459914.0000000000D89000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs VN24A02765.PDF.exe
Source: VN24A02765.PDF.exe Binary or memory string: OriginalFilenamebBFSZ.exe< vs VN24A02765.PDF.exe
Uses 32bit PE files
Source: VN24A02765.PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.bSQtuQYbAR.exe.3634928.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.BjTxJte.exe.4a5f430.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.VN24A02765.PDF.exe.4a69dc0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 21.2.BjTxJte.exe.424f8f0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 21.2.BjTxJte.exe.428ab10.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.BjTxJte.exe.4a9a650.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.bSQtuQYbAR.exe.35f9708.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.bSQtuQYbAR.exe.35f9708.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.BjTxJte.exe.4a5f430.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 21.2.BjTxJte.exe.428ab10.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 15.2.BjTxJte.exe.4a9a650.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.bSQtuQYbAR.exe.3634928.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.VN24A02765.PDF.exe.4a69dc0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 21.2.BjTxJte.exe.424f8f0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: VN24A02765.PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bSQtuQYbAR.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, v9BE9MWv4aiJkgECVY.cs Security API names: _0020.SetAccessControl
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, v9BE9MWv4aiJkgECVY.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, v9BE9MWv4aiJkgECVY.cs Security API names: _0020.AddAccessRule
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, EM7XEcdtvoG3ZpRHPm.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, EM7XEcdtvoG3ZpRHPm.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, v9BE9MWv4aiJkgECVY.cs Security API names: _0020.SetAccessControl
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, v9BE9MWv4aiJkgECVY.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, v9BE9MWv4aiJkgECVY.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@35/20@2/2
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe File created: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Mutant created: \Sessions\1\BaseNamedObjects\SiPnSaiK
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe File created: C:\Users\user\AppData\Local\Temp\tmp9B6D.tmp Jump to behavior
Source: VN24A02765.PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VN24A02765.PDF.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: VN24A02765.PDF.exe ReversingLabs: Detection: 63%
Source: VN24A02765.PDF.exe Virustotal: Detection: 55%
Source: VN24A02765.PDF.exe String found in binary or memory: Save/Load
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe File read: C:\Users\user\Desktop\VN24A02765.PDF.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\VN24A02765.PDF.exe "C:\Users\user\Desktop\VN24A02765.PDF.exe"
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VN24A02765.PDF.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmp9B6D.tmp"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Users\user\Desktop\VN24A02765.PDF.exe "C:\Users\user\Desktop\VN24A02765.PDF.exe"
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Users\user\Desktop\VN24A02765.PDF.exe "C:\Users\user\Desktop\VN24A02765.PDF.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmpB0CA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process created: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe "C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmpDC01.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmpF68D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VN24A02765.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe" Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmp9B6D.tmp" Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Users\user\Desktop\VN24A02765.PDF.exe "C:\Users\user\Desktop\VN24A02765.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Users\user\Desktop\VN24A02765.PDF.exe "C:\Users\user\Desktop\VN24A02765.PDF.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmpB0CA.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process created: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe "C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmpDC01.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmpF68D.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: VN24A02765.PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: VN24A02765.PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: VN24A02765.PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: bBFSZ.pdbSHA256 source: VN24A02765.PDF.exe, bSQtuQYbAR.exe.0.dr, BjTxJte.exe.9.dr
Source: Binary string: bBFSZ.pdb source: VN24A02765.PDF.exe, bSQtuQYbAR.exe.0.dr, BjTxJte.exe.9.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: VN24A02765.PDF.exe, Form1.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: bSQtuQYbAR.exe.0.dr, Form1.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, v9BE9MWv4aiJkgECVY.cs .Net Code: NrrQx3kkTI System.Reflection.Assembly.Load(byte[])
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, v9BE9MWv4aiJkgECVY.cs .Net Code: NrrQx3kkTI System.Reflection.Assembly.Load(byte[])
Source: 0.2.VN24A02765.PDF.exe.51a0000.4.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_050893DD pushad ; retf 0_2_050893DE
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_050893E7 pushad ; retf 0_2_050893E8
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 0_2_05086EA7 push ebx; ret 0_2_05086EAA
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D0728 push eax; ret 9_2_012D0732
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D0718 push eax; ret 9_2_012D0722
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D06AF push eax; ret 9_2_012D06B2
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D06A1 push eax; ret 9_2_012D06A2
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D06F8 push eax; ret 9_2_012D0702
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D06F1 push eax; ret 9_2_012D06F2
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D0C3D push edi; ret 9_2_012D0CC2
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_012D0C95 push edi; retf 9_2_012D0C3A
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06C1836D push esp; iretd 9_2_06C18375
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06C17EF8 push esp; iretd 9_2_06C17F01
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Code function: 9_2_06C1BC41 push es; ret 9_2_06C1BC50
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B593E7 pushad ; retf 10_2_04B593E8
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B593DD pushad ; retf 10_2_04B593DE
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 10_2_04B56EA7 push ebx; ret 10_2_04B56EAA
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_01950718 push eax; ret 14_2_01950722
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_01950708 push eax; ret 14_2_01950712
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_01950728 push eax; ret 14_2_01950732
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_01950698 push eax; ret 14_2_01950712
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_019506C8 push eax; ret 14_2_01950702
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_01950C95 push edi; retf 14_2_01950C3A
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_01950C3D push edi; ret 14_2_01950CC2
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Code function: 14_2_07167CE8 push esp; iretd 14_2_07167CF1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A93DD pushad ; retf 15_2_051A93DE
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A93E7 pushad ; retf 15_2_051A93E8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 15_2_051A6EA7 push ebx; ret 15_2_051A6EAA
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_014A0708 push eax; ret 20_2_014A0712
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_014A0718 push eax; ret 20_2_014A0722
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_014A0728 push eax; ret 20_2_014A0732
Source: VN24A02765.PDF.exe Static PE information: section name: .text entropy: 7.304484381885553
Source: bSQtuQYbAR.exe.0.dr Static PE information: section name: .text entropy: 7.304484381885553
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, NhsirBnOsm2PiHFcL3.cs High entropy of concatenated method names: 'aNGvm0xDyH', 'AksvuGUW3A', 'BAavkVJRqy', 'JfqvfnJj1Z', 'XO0vwUMswE', 'da0vTIbsde', 'AZGv6mXvMB', 'AE5vq3SerH', 'LocvjobKQR', 'CFcvD3yHiI'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, UNWHVfwmnKhSkY8Zdg.cs High entropy of concatenated method names: 'p8mnKg0OtP', 'y4AnIKOglA', 'f1hnxxlOwx', 'HZ5nmXWJn4', 'aRHnugUykh', 'VJYnr96iVM', 'oVinfNdlM9', 'Bjpnb2EfLS', 'Dg6QSakyqP0kYs4cp34', 'JHA7Fwk5REU53mM9iZU'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, DWXp1E9muZNebYegdu.cs High entropy of concatenated method names: 'luXZkGRuEA', 'y0AZfpW8av', 'CMeZ2e96h6', 'KsoZ1nj6ni', 'cgeZYKs8tG', 'XoIZEZMcPj', 'kdrZNLjdec', 'yvfZ7jyEaZ', 'aoiZ9F8jyB', 'TLoZsIuJ5s'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, zMuVvX5CLjlpV7oIrP.cs High entropy of concatenated method names: 'zQc651XIYa', 'vbs6SS8HTM', 'ETbqcd9cAp', 'qWVq46nmvR', 'sOb6sLxSNJ', 'lY06Fq4kVB', 'j3p6RfwC6S', 'hda6PAQspU', 'Y4k6pd046w', 'tQd6BT1XeY'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, jKAA8IzUsKYWOnGm8I.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FYZjZgDlOk', 'FTHjwSV9bB', 'nU6jTNWA9g', 'MnUj67nV5v', 'B8TjqHUTFU', 'iijjjWcqN5', 'nxSjDuDT3s'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, etFABD1ear1juXfRYQ.cs High entropy of concatenated method names: 'i5DnMTCybF', 'KfynadMbNw', 'ifvn0OAjS0', 'GUWnWr9sll', 'fHlnijtxK4', 'v1V0yN3rFu', 'dZI0JVkhaY', 'bPs0gZTur1', 'xhx05I6sgp', 'qQV0VBeJou'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, Bg4JLCxrPudLvBlQkM.cs High entropy of concatenated method names: 'WxoWlg7wav', 'IEhWvJrFCU', 'in0Wnm3NNH', 'JndnSXKkgi', 'y61nziVqwF', 'wBZWclBBCo', 'U8AW4Biy54', 'PIdWoOes3e', 'NGPWUypBp2', 'SgSWQjNd5R'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, tvIx5UqElIJVlhHVJJ.cs High entropy of concatenated method names: 'Dispose', 'dHo4VxHceR', 'utqo1VpV5H', 'V77AA0oCR9', 'g4c4S7CNcJ', 'UEx4zhrU6r', 'ProcessDialogKey', 'mEHocgIJom', 'gEJo47otEJ', 'krkooVYge7'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, QC5jj26LqURaTMXxNv.cs High entropy of concatenated method names: 'Mi2j41ZyHO', 'f85jUI88dv', 'uSvjQovckL', 'bRkjlIVXaW', 'Bd2ja6yuHF', 'eBBj0tYV8F', 'gagjnWj3UN', 'PqsqgZ7Q8p', 'ke3q5TUD4F', 'NaJqVqCxY1'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, RWcx2kmFbroNNwVnuMk.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GatDPW96RX', 'GOsDp8HRwQ', 'OV8DBC6qK1', 'hbiDG99sGx', 'asNDyVpcDW', 'pUpDJ0fJRE', 'wZLDgjBD12'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, YLlZYD8IQexYHrfKPF.cs High entropy of concatenated method names: 'Hy7WIfbKjg', 'cAaWHSmekl', 'UGaWxxqImT', 'EuBWmWsJyX', 'jSFWeN8oUd', 'J1vWuZYII5', 'xGuWrm4wMN', 'yEHWkdu5O4', 'LffWf1sYlm', 'TT4Wb2pxeu'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, oarTdtmo5LuEHdCRvkn.cs High entropy of concatenated method names: 'RaRjIu2RWI', 'IacjHbqyTv', 'hTdjxarTiH', 'zk3jmjIVQ1', 'UmJjeNndkm', 'AOJjugaNsL', 'T2cjr1cRmk', 'SnPjkiPgpU', 'maRjfOvCqf', 'SJWjb4giNW'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, v9BE9MWv4aiJkgECVY.cs High entropy of concatenated method names: 'eAHUMH07US', 'zRBUleNoy8', 'MhYUaYqBBy', 'lgeUvDocHK', 'qeFU0aDUNt', 'ST2Un7u2s8', 'ODeUWmwLL7', 'EquUiDgP5H', 'KUeUhYSilr', 'GbbUdsAOdv'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, EM7XEcdtvoG3ZpRHPm.cs High entropy of concatenated method names: 'IwraPWZPvT', 'tOyapR8eYn', 'hCKaBxTebN', 'NsLaGJIdNg', 'U5OayxXngf', 'A0WaJQKCP2', 'dFrag0HFh3', 'VDea5pcBCp', 'Ji7aVuTA9i', 'J17aSJcOxd'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, kmhtXttCMog0CalSQE.cs High entropy of concatenated method names: 'ToString', 'Ub3TstKL5O', 'zgnT1VfWp4', 'j3uTt0amYw', 'yURTYEou4I', 'P4sTEJC0x3', 'GdCTXxMEYi', 'rsjTNPlGrx', 'kY9T73xL6w', 'xdmT8OWLgA'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, lmA9qmaLd9UxsTMkj9.cs High entropy of concatenated method names: 'm1Sx6xPkI', 'QXkmvewBe', 'Qx2uRmv8a', 'nW2rkOes6', 'BQWfdwZbO', 'vikb8IoiU', 'IjlIqHhuE8mdJ617hw', 'SxpDoru4miOBpnN95E', 'XU1qpD9Hl', 'zKoDn9lGJ'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, dJ0EYP7OkxgZcQhbsd.cs High entropy of concatenated method names: 'orxq2ZfB2U', 'u5Hq19uCSy', 'sSdqtmly1D', 'NM8qYWR3Be', 'JJuqPJc33T', 'p4wqEh41UP', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, FH9PJkfjRq6ikmCmKK.cs High entropy of concatenated method names: 'EDF0eS7Xyf', 'ceZ0rG1p1q', 'lXsvtDrAhf', 'wGvvYfUNv9', 'sewvEDIgIB', 'kXkvXjlLDj', 'bI4vN7JmJZ', 'a7Wv7yRbXr', 'Ge2v8oCHLP', 'CViv9VqxTq'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, z2r9ma4fXxxqMbYchL.cs High entropy of concatenated method names: 'wdv4Wei8pl', 'n4T4iMSf86', 'poe4deYtD0', 'lhk4COVaYY', 'SB54wvaOQr', 'q8C4TydrYX', 'i0mZUDlPevZytSnC19', 'HG6fblvvAQHTJ2AYrD', 'rJy446xPR2', 'ben4UtiMAv'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, vWW4ImeUMi0f0NmN0S.cs High entropy of concatenated method names: 'NwGw9lC0mR', 'E6TwFZCH10', 'nQowPS3Q0u', 'yL2wpatfd5', 'iXlw19Kxyv', 'b29wt25uHL', 'z87wY1ohjL', 'tTdwESZBQt', 'ObgwXd4g6E', 'qxawNF19Yf'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, sZAUGqjfMoF5li3EGW.cs High entropy of concatenated method names: 'Unf6dOBR4G', 'CA36CnEotF', 'ToString', 'sTi6llklVt', 'X8t6avjflB', 'oGc6vJRyg9', 'apV60UcnVN', 'kEp6niqYyY', 'IEJ6WUqeoB', 'vXu6iHk83u'
Source: 0.2.VN24A02765.PDF.exe.8510000.7.raw.unpack, zlUMDYJaBAm44H8kyk.cs High entropy of concatenated method names: 'L1nqlTQiLr', 'FuTqa6sgxZ', 'Ix6qvsBchA', 'RGhq0bEpS0', 'BdNqnb5f8E', 'mVFqWRyVor', 'WFRqimFt1j', 'TY1qhGBZWj', 'RCJqdI7wIR', 'bZqqCYVW0C'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, NhsirBnOsm2PiHFcL3.cs High entropy of concatenated method names: 'aNGvm0xDyH', 'AksvuGUW3A', 'BAavkVJRqy', 'JfqvfnJj1Z', 'XO0vwUMswE', 'da0vTIbsde', 'AZGv6mXvMB', 'AE5vq3SerH', 'LocvjobKQR', 'CFcvD3yHiI'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, UNWHVfwmnKhSkY8Zdg.cs High entropy of concatenated method names: 'p8mnKg0OtP', 'y4AnIKOglA', 'f1hnxxlOwx', 'HZ5nmXWJn4', 'aRHnugUykh', 'VJYnr96iVM', 'oVinfNdlM9', 'Bjpnb2EfLS', 'Dg6QSakyqP0kYs4cp34', 'JHA7Fwk5REU53mM9iZU'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, DWXp1E9muZNebYegdu.cs High entropy of concatenated method names: 'luXZkGRuEA', 'y0AZfpW8av', 'CMeZ2e96h6', 'KsoZ1nj6ni', 'cgeZYKs8tG', 'XoIZEZMcPj', 'kdrZNLjdec', 'yvfZ7jyEaZ', 'aoiZ9F8jyB', 'TLoZsIuJ5s'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, zMuVvX5CLjlpV7oIrP.cs High entropy of concatenated method names: 'zQc651XIYa', 'vbs6SS8HTM', 'ETbqcd9cAp', 'qWVq46nmvR', 'sOb6sLxSNJ', 'lY06Fq4kVB', 'j3p6RfwC6S', 'hda6PAQspU', 'Y4k6pd046w', 'tQd6BT1XeY'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, jKAA8IzUsKYWOnGm8I.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FYZjZgDlOk', 'FTHjwSV9bB', 'nU6jTNWA9g', 'MnUj67nV5v', 'B8TjqHUTFU', 'iijjjWcqN5', 'nxSjDuDT3s'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, etFABD1ear1juXfRYQ.cs High entropy of concatenated method names: 'i5DnMTCybF', 'KfynadMbNw', 'ifvn0OAjS0', 'GUWnWr9sll', 'fHlnijtxK4', 'v1V0yN3rFu', 'dZI0JVkhaY', 'bPs0gZTur1', 'xhx05I6sgp', 'qQV0VBeJou'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, Bg4JLCxrPudLvBlQkM.cs High entropy of concatenated method names: 'WxoWlg7wav', 'IEhWvJrFCU', 'in0Wnm3NNH', 'JndnSXKkgi', 'y61nziVqwF', 'wBZWclBBCo', 'U8AW4Biy54', 'PIdWoOes3e', 'NGPWUypBp2', 'SgSWQjNd5R'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, tvIx5UqElIJVlhHVJJ.cs High entropy of concatenated method names: 'Dispose', 'dHo4VxHceR', 'utqo1VpV5H', 'V77AA0oCR9', 'g4c4S7CNcJ', 'UEx4zhrU6r', 'ProcessDialogKey', 'mEHocgIJom', 'gEJo47otEJ', 'krkooVYge7'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, QC5jj26LqURaTMXxNv.cs High entropy of concatenated method names: 'Mi2j41ZyHO', 'f85jUI88dv', 'uSvjQovckL', 'bRkjlIVXaW', 'Bd2ja6yuHF', 'eBBj0tYV8F', 'gagjnWj3UN', 'PqsqgZ7Q8p', 'ke3q5TUD4F', 'NaJqVqCxY1'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, RWcx2kmFbroNNwVnuMk.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GatDPW96RX', 'GOsDp8HRwQ', 'OV8DBC6qK1', 'hbiDG99sGx', 'asNDyVpcDW', 'pUpDJ0fJRE', 'wZLDgjBD12'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, YLlZYD8IQexYHrfKPF.cs High entropy of concatenated method names: 'Hy7WIfbKjg', 'cAaWHSmekl', 'UGaWxxqImT', 'EuBWmWsJyX', 'jSFWeN8oUd', 'J1vWuZYII5', 'xGuWrm4wMN', 'yEHWkdu5O4', 'LffWf1sYlm', 'TT4Wb2pxeu'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, oarTdtmo5LuEHdCRvkn.cs High entropy of concatenated method names: 'RaRjIu2RWI', 'IacjHbqyTv', 'hTdjxarTiH', 'zk3jmjIVQ1', 'UmJjeNndkm', 'AOJjugaNsL', 'T2cjr1cRmk', 'SnPjkiPgpU', 'maRjfOvCqf', 'SJWjb4giNW'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, v9BE9MWv4aiJkgECVY.cs High entropy of concatenated method names: 'eAHUMH07US', 'zRBUleNoy8', 'MhYUaYqBBy', 'lgeUvDocHK', 'qeFU0aDUNt', 'ST2Un7u2s8', 'ODeUWmwLL7', 'EquUiDgP5H', 'KUeUhYSilr', 'GbbUdsAOdv'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, EM7XEcdtvoG3ZpRHPm.cs High entropy of concatenated method names: 'IwraPWZPvT', 'tOyapR8eYn', 'hCKaBxTebN', 'NsLaGJIdNg', 'U5OayxXngf', 'A0WaJQKCP2', 'dFrag0HFh3', 'VDea5pcBCp', 'Ji7aVuTA9i', 'J17aSJcOxd'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, kmhtXttCMog0CalSQE.cs High entropy of concatenated method names: 'ToString', 'Ub3TstKL5O', 'zgnT1VfWp4', 'j3uTt0amYw', 'yURTYEou4I', 'P4sTEJC0x3', 'GdCTXxMEYi', 'rsjTNPlGrx', 'kY9T73xL6w', 'xdmT8OWLgA'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, lmA9qmaLd9UxsTMkj9.cs High entropy of concatenated method names: 'm1Sx6xPkI', 'QXkmvewBe', 'Qx2uRmv8a', 'nW2rkOes6', 'BQWfdwZbO', 'vikb8IoiU', 'IjlIqHhuE8mdJ617hw', 'SxpDoru4miOBpnN95E', 'XU1qpD9Hl', 'zKoDn9lGJ'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, dJ0EYP7OkxgZcQhbsd.cs High entropy of concatenated method names: 'orxq2ZfB2U', 'u5Hq19uCSy', 'sSdqtmly1D', 'NM8qYWR3Be', 'JJuqPJc33T', 'p4wqEh41UP', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, FH9PJkfjRq6ikmCmKK.cs High entropy of concatenated method names: 'EDF0eS7Xyf', 'ceZ0rG1p1q', 'lXsvtDrAhf', 'wGvvYfUNv9', 'sewvEDIgIB', 'kXkvXjlLDj', 'bI4vN7JmJZ', 'a7Wv7yRbXr', 'Ge2v8oCHLP', 'CViv9VqxTq'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, z2r9ma4fXxxqMbYchL.cs High entropy of concatenated method names: 'wdv4Wei8pl', 'n4T4iMSf86', 'poe4deYtD0', 'lhk4COVaYY', 'SB54wvaOQr', 'q8C4TydrYX', 'i0mZUDlPevZytSnC19', 'HG6fblvvAQHTJ2AYrD', 'rJy446xPR2', 'ben4UtiMAv'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, vWW4ImeUMi0f0NmN0S.cs High entropy of concatenated method names: 'NwGw9lC0mR', 'E6TwFZCH10', 'nQowPS3Q0u', 'yL2wpatfd5', 'iXlw19Kxyv', 'b29wt25uHL', 'z87wY1ohjL', 'tTdwESZBQt', 'ObgwXd4g6E', 'qxawNF19Yf'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, sZAUGqjfMoF5li3EGW.cs High entropy of concatenated method names: 'Unf6dOBR4G', 'CA36CnEotF', 'ToString', 'sTi6llklVt', 'X8t6avjflB', 'oGc6vJRyg9', 'apV60UcnVN', 'kEp6niqYyY', 'IEJ6WUqeoB', 'vXu6iHk83u'
Source: 0.2.VN24A02765.PDF.exe.494f658.2.raw.unpack, zlUMDYJaBAm44H8kyk.cs High entropy of concatenated method names: 'L1nqlTQiLr', 'FuTqa6sgxZ', 'Ix6qvsBchA', 'RGhq0bEpS0', 'BdNqnb5f8E', 'mVFqWRyVor', 'WFRqimFt1j', 'TY1qhGBZWj', 'RCJqdI7wIR', 'bZqqCYVW0C'
Drops PE files
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe File created: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Jump to dropped file
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe File created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmp9B6D.tmp"
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BjTxJte Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BjTxJte Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe File opened: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe File opened: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: VN24A02765.PDF.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: VN24A02765.PDF.exe PID: 3140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bSQtuQYbAR.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7480, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: D90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 2BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 2960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 5E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 6E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 6F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 7F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 85C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 95C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: A5C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: B5C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 1240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 2E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: 2BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 2310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 2550000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 2460000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 5810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 6810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 6940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 7940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 8060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 5810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 1910000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 33F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory allocated: 53F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2A20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2BE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 4BE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 6020000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 7020000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 7160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 8160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 8720000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 9720000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: A720000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: B720000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 14A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2E80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2CC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2210000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 23D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 43D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 5760000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 6760000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 68A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 78A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 7F30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 8F30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 9F30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: AF30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: CC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2980000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 4980000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7793 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7225 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Window / User API: threadDelayed 3443 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Window / User API: threadDelayed 6414 Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Window / User API: threadDelayed 3344
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Window / User API: threadDelayed 6490
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 4019
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 5833
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 5890
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 3951
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 6432 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4500 Thread sleep count: 7793 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4820 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6628 Thread sleep count: 191 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7156 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2180 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4320 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -99780s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -99635s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -99312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -99093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -98984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -98874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -98765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -98547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -98437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -98328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -98218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -97992s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -97890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -97781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -97664s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -97562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -97453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -97343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -97234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -97124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -97015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -96906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -96797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -96686s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -96578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -96468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -96359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -96250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -96140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -96031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -95921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -95811s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -95703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -95593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -95484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -95375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -95263s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -95156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -95047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -94921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -94812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -94703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe TID: 7216 Thread sleep time: -94593s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 6164 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -99891s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -99777s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -99670s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -99438s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -99079s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -98968s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -98844s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -98735s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -98610s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -98360s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -97860s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -97747s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -97625s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -97516s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -97391s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -97275s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -97157s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -97032s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -96922s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -96813s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -96702s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -96579s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -96454s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -96329s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -96216s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -96094s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -95985s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -95860s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -95735s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -95544s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -95437s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -95297s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -94912s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -94631s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -94511s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -92940s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -92763s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -92641s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -92531s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -92422s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -92313s >= -30000s
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe TID: 7444 Thread sleep time: -92188s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7508 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -99860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -99734s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -99625s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -99509s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -98719s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -98594s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -98475s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -98141s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -97922s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -97682s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -97562s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -97427s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -97311s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -97201s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -97094s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -96875s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -96766s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -96641s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -96516s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -96406s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -96297s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -96188s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -96063s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -95938s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -95813s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -95703s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -95594s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -95483s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -95375s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -95266s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -95156s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -95047s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -94938s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -94811s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -94700s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -94594s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -94485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7924 Thread sleep time: -94372s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7976 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep count: 40 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -36893488147419080s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8176 Thread sleep count: 5890 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -99891s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8176 Thread sleep count: 3951 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -99672s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -99343s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -99234s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -99125s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -99015s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -98358s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -98141s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -97922s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -97809s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -97687s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -97578s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -97469s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -97139s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -97031s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -96922s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -96812s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -96703s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -96593s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -96484s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -96375s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -96265s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -96156s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -96047s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -95906s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -95796s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -95687s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -95578s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -95468s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -95182s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -95062s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -94953s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -94843s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -93493s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -93375s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -93266s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8172 Thread sleep time: -93156s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 99780 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 99635 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 99531 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 99312 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 99093 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 98984 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 98874 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 98765 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 98656 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 98547 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 98437 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 98328 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 98218 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 98109 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 97992 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 97890 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 97781 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 97664 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 97562 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 97453 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 97343 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 97234 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 97124 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 97015 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 96906 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 96797 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 96686 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 96578 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 96468 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 96359 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 96250 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 96140 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 96031 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 95921 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 95811 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 95703 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 95593 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 95484 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 95375 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 95263 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 95156 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 95047 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 94921 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 94812 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 94703 Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Thread delayed: delay time: 94593 Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 99891
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 99777
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 99670
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 99438
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 99313
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 99079
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 98968
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 98844
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 98735
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 98610
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 98360
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 97860
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 97747
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 97625
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 97516
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 97391
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 97275
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 97157
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 97032
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 96922
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 96813
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 96702
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 96579
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 96454
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 96329
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 96216
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 96094
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 95985
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 95860
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 95735
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 95544
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 95437
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 95297
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 94912
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 94631
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 94511
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 92940
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 92763
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 92641
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 92531
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 92422
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 92313
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Thread delayed: delay time: 92188
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99734
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99625
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99509
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98938
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98594
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98475
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98141
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97922
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97682
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97562
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97427
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97311
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97201
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97094
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96875
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96766
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96641
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96516
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96406
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96297
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96188
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96063
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95938
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95813
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95703
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95594
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95483
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95375
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95266
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95156
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95047
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94938
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94811
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94700
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94594
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94372
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99891
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99672
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99562
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99343
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99234
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99125
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99015
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98797
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98687
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98358
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98141
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97922
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97809
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97687
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97578
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97469
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97359
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97250
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97139
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97031
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96922
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96812
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96703
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96593
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96484
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96375
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96265
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96156
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96047
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95906
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95796
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95687
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95578
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95468
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95182
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95062
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94953
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94843
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 93493
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 93375
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 93266
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 93156
Source: BjTxJte.exe, 0000000F.00000002.2215521598.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q
Source: VN24A02765.PDF.exe, 00000009.00000002.4455783516.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, bSQtuQYbAR.exe, 0000000E.00000002.4457931779.0000000001865000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000018.00000002.4458733819.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BjTxJte.exe, 00000014.00000002.4455989011.00000000011A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlljj
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VN24A02765.PDF.exe"
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe"
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VN24A02765.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Memory written: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory written: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VN24A02765.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe" Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmp9B6D.tmp" Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Users\user\Desktop\VN24A02765.PDF.exe "C:\Users\user\Desktop\VN24A02765.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Process created: C:\Users\user\Desktop\VN24A02765.PDF.exe "C:\Users\user\Desktop\VN24A02765.PDF.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmpB0CA.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Process created: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe "C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmpDC01.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bSQtuQYbAR" /XML "C:\Users\user\AppData\Local\Temp\tmpF68D.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Users\user\Desktop\VN24A02765.PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Users\user\Desktop\VN24A02765.PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.3634928.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a5f430.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a69dc0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.424f8f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.428ab10.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a9a650.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.35f9708.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.35f9708.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a5f430.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.428ab10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a9a650.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.3634928.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a69dc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.424f8f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.4462755266.00000000029FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.4461178169.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2107341426.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4462904487.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4463937161.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4462904487.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2219378794.0000000004A5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.4462755266.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4463937161.000000000348A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2055071767.0000000004A2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2292150446.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.4461178169.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VN24A02765.PDF.exe PID: 3140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VN24A02765.PDF.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bSQtuQYbAR.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bSQtuQYbAR.exe PID: 7344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 8072, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\VN24A02765.PDF.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\bSQtuQYbAR.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.3634928.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a5f430.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a69dc0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.424f8f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.428ab10.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a9a650.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.35f9708.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.35f9708.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a5f430.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.428ab10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a9a650.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.3634928.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a69dc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.424f8f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2107341426.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4463937161.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4462904487.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2219378794.0000000004A5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.4462755266.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2055071767.0000000004A2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2292150446.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.4461178169.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VN24A02765.PDF.exe PID: 3140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VN24A02765.PDF.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bSQtuQYbAR.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bSQtuQYbAR.exe PID: 7344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 8072, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.3634928.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a5f430.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a69dc0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.424f8f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.428ab10.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a9a650.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.35f9708.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.35f9708.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a5f430.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.428ab10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BjTxJte.exe.4a9a650.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bSQtuQYbAR.exe.3634928.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a69dc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BjTxJte.exe.424f8f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VN24A02765.PDF.exe.4a2eba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.4462755266.00000000029FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.4461178169.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2107341426.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4462904487.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4463937161.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4462904487.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2219378794.0000000004A5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.4462755266.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4463937161.000000000348A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2055071767.0000000004A2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2292150446.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.4461178169.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VN24A02765.PDF.exe PID: 3140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VN24A02765.PDF.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bSQtuQYbAR.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bSQtuQYbAR.exe PID: 7344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 8072, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429032 Sample: VN24A02765.PDF.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 63 mail.flexwelltour.com 2->63 65 flexwelltour.com 2->65 67 api.ipify.org 2->67 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 13 other signatures 2->79 8 VN24A02765.PDF.exe 7 2->8         started        12 bSQtuQYbAR.exe 5 2->12         started        14 BjTxJte.exe 2->14         started        16 BjTxJte.exe 2->16         started        signatures3 process4 file5 59 C:\Users\user\AppData\...\bSQtuQYbAR.exe, PE32 8->59 dropped 61 C:\Users\user\AppData\Local\...\tmp9B6D.tmp, XML 8->61 dropped 97 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->97 99 Adds a directory exclusion to Windows Defender 8->99 18 VN24A02765.PDF.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        35 2 other processes 8->35 101 Multi AV Scanner detection for dropped file 12->101 103 Machine Learning detection for dropped file 12->103 105 Injects a PE file into a foreign processes 12->105 25 bSQtuQYbAR.exe 12->25         started        27 schtasks.exe 12->27         started        29 BjTxJte.exe 14->29         started        37 2 other processes 14->37 31 BjTxJte.exe 16->31         started        33 schtasks.exe 16->33         started        signatures6 process7 dnsIp8 69 api.ipify.org 104.26.13.205, 443, 49704, 49706 CLOUDFLARENETUS United States 18->69 71 flexwelltour.com 94.199.200.238, 587 AEROTEK-ASTR Turkey 18->71 55 C:\Users\user\AppData\Roaming\...\BjTxJte.exe, PE32 18->55 dropped 57 C:\Users\user\...\BjTxJte.exe:Zone.Identifier, ASCII 18->57 dropped 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->81 83 Tries to steal Mail credentials (via file / registry access) 18->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 23->87 89 Loading BitLocker PowerShell Module 23->89 39 conhost.exe 23->39         started        41 conhost.exe 27->41         started        91 Tries to harvest and steal ftp login credentials 31->91 93 Tries to harvest and steal browser information (history, passwords, etc) 31->93 95 Installs a global keyboard hook 31->95 43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        49 schtasks.exe 1 35->49         started        51 WmiPrvSE.exe 35->51         started        53 conhost.exe 37->53         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.199.200.238
 flexwelltour.com Turkey
42807 AEROTEK-ASTR false
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
flexwelltour.com 94.199.200.238 true
api.ipify.org 104.26.13.205 true
mail.flexwelltour.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high