Windows Analysis Report
Statement of Account PDF.bat.exe

Overview

General Information

Sample name: Statement of Account PDF.bat.exe
Analysis ID: 1432040
MD5: 8db4915ba4e6bb27cb249554a18a9f4c
SHA1: fd3e06212f9da365c2106dcd808caf291ccb3a2a
SHA256: 470e7bcb766a436b50d28e362621b59467b6e6aa4146b467f4175a8b5c9eaa04
Tags: AgentTeslabatexeShipping
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 25.2.BjTxJte.exe.4798530.6.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.fascia-arch.com", "Username": "brian@fascia-arch.com", "Password": "HERbertstown1987"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Virustotal: Detection: 56% Perma Link
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Virustotal: Detection: 56% Perma Link
Multi AV Scanner detection for submitted file
Source: Statement of Account PDF.bat.exe ReversingLabs: Detection: 47%
Source: Statement of Account PDF.bat.exe Virustotal: Detection: 56% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Statement of Account PDF.bat.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Statement of Account PDF.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: Statement of Account PDF.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Data.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Xml.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: Accessibility.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.ni.pdbRSDS source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: Microsoft.VisualBasic.pdbu source: WERFDF5.tmp.dmp.17.dr
Source: Binary string: System.Configuration.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Data.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Configuration.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: UbK.pdb source: Statement of Account PDF.bat.exe, gDdsxauPhk.exe.0.dr, BjTxJte.exe.8.dr, WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.pdbMZ source: WER211D.tmp.dmp.24.dr
Source: Binary string: System.Core.pdbMZ@ source: WER211D.tmp.dmp.24.dr
Source: Binary string: System.Xml.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Core.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Drawing.pdbt source: WER4195.tmp.dmp.32.dr
Source: Binary string: System.Windows.Forms.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: Microsoft.VisualBasic.pdbMZ source: WER211D.tmp.dmp.24.dr
Source: Binary string: Accessibility.pdbSystem.ni.dllSystem.Core.dll4 source: WER211D.tmp.dmp.24.dr
Source: Binary string: mscorlib.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Drawing.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: mscorlib.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Data.ni.pdbRSDS source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: UbK.pdbSHA256 source: Statement of Account PDF.bat.exe, gDdsxauPhk.exe.0.dr, BjTxJte.exe.8.dr
Source: Binary string: System.Core.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.pdb4 source: WERFDF5.tmp.dmp.17.dr
Source: Binary string: Accessibility.pdbMZ source: WERFDF5.tmp.dmp.17.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Data.pdb, source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BjTxJte.exe_f5c09dd75b90d612af8c658c8837992c387ee89_843aacda_4690c535-c6af-41e6-8128-f3000ded106c\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gDdsxauPhk.exe_e2c8de6e9dfbc3bf198524a8a8bae3ea56c2edb2_cb724c00_6c828731-bc0c-4d10-93b3-5ed4934f0644\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49736 -> 50.87.195.61:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 50.87.195.61 50.87.195.61
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49736 -> 50.87.195.61:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: mail.fascia-arch.com
Source: Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000306D000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003244000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003135000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000342C000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.00000000030ED000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.0000000003136000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.0000000003227000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.00000000030CB000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1928490064.000000000356C000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001E.00000002.4081952252.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001E.00000002.4081952252.0000000002A42000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001E.00000002.4081952252.0000000002CF8000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001E.00000002.4081952252.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001E.00000002.4081952252.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001E.00000002.4081952252.0000000002C5F000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001E.00000002.4081952252.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.fascia-arch.com
Source: Statement of Account PDF.bat.exe, 00000008.00000002.4121885551.0000000006729000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000306D000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003244000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003135000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4121885551.0000000006707000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4123465356.0000000006762000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4124030684.0000000006777000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4123465356.000000000676E000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000342C000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000302F000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4073522473.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4151301532.0000000007DD8000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4121885551.000000000673F000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4150449840.0000000007DAB000.00000004.00000020.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.00000000030ED000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4121813503.00000000068ED000.00000004.00000020.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.0000000003136000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: Statement of Account PDF.bat.exe, 00000008.00000002.4121885551.0000000006729000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000306D000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003244000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003135000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4121885551.0000000006707000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4123465356.0000000006762000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4124030684.0000000006777000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4123465356.000000000676E000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000342C000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000302F000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4073522473.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4121885551.000000000673F000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4150449840.0000000007DAB000.00000004.00000020.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.00000000030ED000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4121813503.00000000068ED000.00000004.00000020.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.0000000003136000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4074399117.000000000148A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1699276440.00000000029BD000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000A.00000002.1763034515.00000000025BD000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.0000000003031000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000012.00000002.1853285183.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000012.00000002.1853285183.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1928490064.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.1940766232.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.1940766232.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001E.00000002.4081952252.000000000290C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707110996.0000000005BF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlqX
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1707492672.0000000006D32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Statement of Account PDF.bat.exe, 00000008.00000002.4121885551.0000000006729000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4151590709.0000000007DE4000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000306D000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003244000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003135000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4073522473.0000000001040000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4073522473.000000000106A000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4124030684.0000000006777000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4120771933.00000000066C6000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000342C000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4073522473.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4151301532.0000000007DD8000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4121885551.000000000673F000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4150449840.0000000007DAB000.00000004.00000020.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.00000000030ED000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4121813503.00000000068ED000.00000004.00000020.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.0000000003136000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4074399117.000000000148A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Statement of Account PDF.bat.exe, 00000008.00000002.4121885551.0000000006729000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4151590709.0000000007DE4000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000306D000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003244000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000003135000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4073522473.0000000001040000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.00000000032E6000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4073522473.000000000106A000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4124030684.0000000006777000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4120771933.00000000066C6000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.000000000342C000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4073522473.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4151301532.0000000007DD8000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4121885551.000000000673F000.00000004.00000020.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4150449840.0000000007DAB000.00000004.00000020.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.00000000030ED000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4121813503.00000000068ED000.00000004.00000020.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.0000000003136000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4074399117.000000000148A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1700653245.0000000004337000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000012.00000002.1856813364.0000000004928000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1916411729.0000000000402000.00000040.00000400.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.1945703172.0000000004798000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1700653245.0000000004337000.00000004.00000800.00020000.00000000.sdmp, Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4080192144.0000000003031000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000012.00000002.1856813364.0000000004928000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1916411729.0000000000402000.00000040.00000400.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1928490064.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.1945703172.0000000004798000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001E.00000002.4081952252.000000000290C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: gDdsxauPhk.exe, 0000000F.00000002.4080192144.0000000003031000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1928490064.00000000034F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: gDdsxauPhk.exe, 0000000F.00000002.4080192144.0000000003031000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000016.00000002.1928490064.00000000034F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49755 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, 8WWn.cs .Net Code: UOFvW
Source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.raw.unpack, 8WWn.cs .Net Code: UOFvW
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Statement of Account PDF.bat.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\gDdsxauPhk.exe
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 25.2.BjTxJte.exe.4798530.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 18.2.BjTxJte.exe.4963d80.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 22.2.BjTxJte.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 18.2.BjTxJte.exe.4928d60.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 25.2.BjTxJte.exe.47d3550.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 25.2.BjTxJte.exe.47d3550.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 18.2.BjTxJte.exe.4928d60.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 25.2.BjTxJte.exe.4798530.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 18.2.BjTxJte.exe.4963d80.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_076A3910 0_2_076A3910
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_076A2C68 0_2_076A2C68
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_076A34D8 0_2_076A34D8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_00F125D8 0_2_00F125D8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_04EE1808 0_2_04EE1808
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_04EE17F8 0_2_04EE17F8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CCC550 0_2_06CCC550
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CCE6F0 0_2_06CCE6F0
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CEA688 0_2_06CEA688
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CE9CC8 0_2_06CE9CC8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CE6CD8 0_2_06CE6CD8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CE39C0 0_2_06CE39C0
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CE7280 0_2_06CE7280
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CE7271 0_2_06CE7271
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CEA3E0 0_2_06CEA3E0
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CEA3F0 0_2_06CEA3F0
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CEC388 0_2_06CEC388
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CEC378 0_2_06CEC378
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CE9CB8 0_2_06CE9CB8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074A9BC0 0_2_074A9BC0
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074A7A20 0_2_074A7A20
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074AC900 0_2_074AC900
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074AAA60 0_2_074AAA60
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074ABED0 0_2_074ABED0
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074AF148 0_2_074AF148
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074A0040 0_2_074A0040
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074A0006 0_2_074A0006
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074ABC88 0_2_074ABC88
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074AD8A8 0_2_074AD8A8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_010141F8 8_2_010141F8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_0101EB08 8_2_0101EB08
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_01014AC8 8_2_01014AC8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_0101ADF8 8_2_0101ADF8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_01013EB0 8_2_01013EB0
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_06952750 8_2_06952750
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_069565C8 8_2_069565C8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_0695B1F8 8_2_0695B1F8
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_0695C138 8_2_0695C138
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_06957D48 8_2_06957D48
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_06955568 8_2_06955568
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_06957668 8_2_06957668
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_0695E360 8_2_0695E360
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_06955CC0 8_2_06955CC0
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_06950040 8_2_06950040
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_023F1CC4 10_2_023F1CC4
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_023F01A0 10_2_023F01A0
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_023F2B11 10_2_023F2B11
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_023F0B60 10_2_023F0B60
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_023F0B50 10_2_023F0B50
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_068FC550 10_2_068FC550
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_068FE6F0 10_2_068FE6F0
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A1A688 10_2_06A1A688
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A12368 10_2_06A12368
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A19CC8 10_2_06A19CC8
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A16CD8 10_2_06A16CD8
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A17280 10_2_06A17280
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A17271 10_2_06A17271
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A1C380 10_2_06A1C380
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A1C388 10_2_06A1C388
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A1A3E0 10_2_06A1A3E0
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A1A3F0 10_2_06A1A3F0
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A19CB8 10_2_06A19CB8
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A19C15 10_2_06A19C15
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D37A20 10_2_06D37A20
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D39BC0 10_2_06D39BC0
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D3C900 10_2_06D3C900
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D3BED0 10_2_06D3BED0
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D3AA60 10_2_06D3AA60
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D3BC88 10_2_06D3BC88
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D3D8A8 10_2_06D3D8A8
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D30040 10_2_06D30040
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D30007 10_2_06D30007
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D3F148 10_2_06D3F148
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06EDAE68 10_2_06EDAE68
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06ED34D8 10_2_06ED34D8
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06ED2C68 10_2_06ED2C68
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06ED5458 10_2_06ED5458
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06ED3091 10_2_06ED3091
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06ED7120 10_2_06ED7120
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06ED3910 10_2_06ED3910
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_014041F8 15_2_014041F8
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_0140EB08 15_2_0140EB08
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_01404AC8 15_2_01404AC8
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_01403EB0 15_2_01403EB0
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_0140ADF8 15_2_0140ADF8
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_06B43438 15_2_06B43438
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_06B465D0 15_2_06B465D0
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_06B45570 15_2_06B45570
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_06B47D50 15_2_06B47D50
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_06B4B1F0 15_2_06B4B1F0
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_06B4C140 15_2_06B4C140
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_06B47670 15_2_06B47670
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_06B45CB7 15_2_06B45CB7
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_06B4E368 15_2_06B4E368
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_06B40040 15_2_06B40040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_051026B8 18_2_051026B8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_05101FB8 18_2_05101FB8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_051001A0 18_2_051001A0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_05100B50 18_2_05100B50
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_05100B60 18_2_05100B60
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07408D10 18_2_07408D10
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_0740CC18 18_2_0740CC18
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07409BC0 18_2_07409BC0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07407A20 18_2_07407A20
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_0740C900 18_2_0740C900
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07408770 18_2_07408770
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07406F10 18_2_07406F10
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_0740BED0 18_2_0740BED0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_0740BC88 18_2_0740BC88
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_0740AA60 18_2_0740AA60
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_074082A8 18_2_074082A8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_0740F148 18_2_0740F148
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_0740B918 18_2_0740B918
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07400040 18_2_07400040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07400006 18_2_07400006
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_0740D8A8 18_2_0740D8A8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_0764AD68 18_2_0764AD68
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07642C68 18_2_07642C68
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07645458 18_2_07645458
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_076434D8 18_2_076434D8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07647120 18_2_07647120
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07643910 18_2_07643910
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07643091 18_2_07643091
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_0164E9E8 22_2_0164E9E8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_01644AC8 22_2_01644AC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_0164ACC8 22_2_0164ACC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_01643EB0 22_2_01643EB0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_016441F8 22_2_016441F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_07041DC2 22_2_07041DC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_07041DC8 22_2_07041DC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_07075568 22_2_07075568
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_070765C8 22_2_070765C8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_0707C138 22_2_0707C138
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_0707B1E8 22_2_0707B1E8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_07073030 22_2_07073030
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_07077D48 22_2_07077D48
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_07077668 22_2_07077668
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_0707E360 22_2_0707E360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_07070040 22_2_07070040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_07075CAF 22_2_07075CAF
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_07070006 22_2_07070006
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_04FC1808 25_2_04FC1808
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_04FC17F8 25_2_04FC17F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E8A688 25_2_06E8A688
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E89CC8 25_2_06E89CC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E86CD8 25_2_06E86CD8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E839C0 25_2_06E839C0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E8A67C 25_2_06E8A67C
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E87280 25_2_06E87280
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E87271 25_2_06E87271
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E8A3E0 25_2_06E8A3E0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E8A3F0 25_2_06E8A3F0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E8C388 25_2_06E8C388
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E8C378 25_2_06E8C378
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06E89CB8 25_2_06E89CB8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06FF34D8 25_2_06FF34D8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06FF2C68 25_2_06FF2C68
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06FF5458 25_2_06FF5458
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06FFAD68 25_2_06FFAD68
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06FF3091 25_2_06FF3091
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06FF7120 25_2_06FF7120
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06FF3910 25_2_06FF3910
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_071AC900 25_2_071AC900
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_071A9BC0 25_2_071A9BC0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_071A7A20 25_2_071A7A20
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_071AF148 25_2_071AF148
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_071A0016 25_2_071A0016
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_071A0040 25_2_071A0040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_071AAA60 25_2_071AAA60
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_071ABC88 25_2_071ABC88
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_071AD8A8 25_2_071AD8A8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_071ABED0 25_2_071ABED0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_0739C550 25_2_0739C550
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_0739E6F0 25_2_0739E6F0
One or more processes crash
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 1816
Sample file is different than original file name gathered from version info
Source: Statement of Account PDF.bat.exe Binary or memory string: OriginalFilename vs Statement of Account PDF.bat.exe
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1700653245.000000000459D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Statement of Account PDF.bat.exe
Source: Statement of Account PDF.bat.exe, 00000000.00000000.1626756757.0000000000580000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUbK.exe& vs Statement of Account PDF.bat.exe
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1709155218.0000000007288000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUbK.exe& vs Statement of Account PDF.bat.exe
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1700653245.0000000004337000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamec0fe0520-5c7a-42ab-a1ed-336010ccc94a.exe4 vs Statement of Account PDF.bat.exe
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1710403251.0000000007620000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Statement of Account PDF.bat.exe
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1699276440.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamec0fe0520-5c7a-42ab-a1ed-336010ccc94a.exe4 vs Statement of Account PDF.bat.exe
Source: Statement of Account PDF.bat.exe, 00000000.00000002.1694061767.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Statement of Account PDF.bat.exe
Source: Statement of Account PDF.bat.exe, 00000008.00000002.4071828324.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Statement of Account PDF.bat.exe
Source: Statement of Account PDF.bat.exe Binary or memory string: OriginalFilenameUbK.exe& vs Statement of Account PDF.bat.exe
Uses 32bit PE files
Source: Statement of Account PDF.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 25.2.BjTxJte.exe.4798530.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 18.2.BjTxJte.exe.4963d80.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 22.2.BjTxJte.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 18.2.BjTxJte.exe.4928d60.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 25.2.BjTxJte.exe.47d3550.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 25.2.BjTxJte.exe.47d3550.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 18.2.BjTxJte.exe.4928d60.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 25.2.BjTxJte.exe.4798530.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 18.2.BjTxJte.exe.4963d80.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Statement of Account PDF.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gDdsxauPhk.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, G39cBQ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, G39cBQ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, sDtvQjPGfa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, sDtvQjPGfa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, sDtvQjPGfa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, sDtvQjPGfa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, b1PPCKov2KZ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, b1PPCKov2KZ.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, Dr83W1h4x8JWr6EBI0.cs Security API names: _0020.SetAccessControl
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, Dr83W1h4x8JWr6EBI0.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, Dr83W1h4x8JWr6EBI0.cs Security API names: _0020.AddAccessRule
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, rX6SQY6VW0eXSFLNTj.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@36/32@2/2
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe File created: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8032
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2996:120:WilError_03
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7440
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Mutant created: \Sessions\1\BaseNamedObjects\JATJfqjfmxt
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7400
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3864:120:WilError_03
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe File created: C:\Users\user\AppData\Local\Temp\tmp690.tmp Jump to behavior
Source: Statement of Account PDF.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Statement of Account PDF.bat.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Statement of Account PDF.bat.exe ReversingLabs: Detection: 47%
Source: Statement of Account PDF.bat.exe Virustotal: Detection: 56%
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe File read: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Statement of Account PDF.bat.exe "C:\Users\user\Desktop\Statement of Account PDF.bat.exe"
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement of Account PDF.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp690.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Users\user\Desktop\Statement of Account PDF.bat.exe "C:\Users\user\Desktop\Statement of Account PDF.bat.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe C:\Users\user\AppData\Roaming\gDdsxauPhk.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp216B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe"
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe"
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 1816
Source: unknown Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp44D2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8032 -s 1828
Source: unknown Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp6598.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 1788
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement of Account PDF.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp690.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Users\user\Desktop\Statement of Account PDF.bat.exe "C:\Users\user\Desktop\Statement of Account PDF.bat.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp216B.tmp"
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe"
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp44D2.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp6598.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Statement of Account PDF.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Statement of Account PDF.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Statement of Account PDF.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Data.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Xml.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: Accessibility.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.ni.pdbRSDS source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: Microsoft.VisualBasic.pdbu source: WERFDF5.tmp.dmp.17.dr
Source: Binary string: System.Configuration.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Data.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Configuration.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: UbK.pdb source: Statement of Account PDF.bat.exe, gDdsxauPhk.exe.0.dr, BjTxJte.exe.8.dr, WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.pdbMZ source: WER211D.tmp.dmp.24.dr
Source: Binary string: System.Core.pdbMZ@ source: WER211D.tmp.dmp.24.dr
Source: Binary string: System.Xml.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Core.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Drawing.pdbt source: WER4195.tmp.dmp.32.dr
Source: Binary string: System.Windows.Forms.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: Microsoft.VisualBasic.pdbMZ source: WER211D.tmp.dmp.24.dr
Source: Binary string: Accessibility.pdbSystem.ni.dllSystem.Core.dll4 source: WER211D.tmp.dmp.24.dr
Source: Binary string: mscorlib.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Drawing.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: mscorlib.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Data.ni.pdbRSDS source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: UbK.pdbSHA256 source: Statement of Account PDF.bat.exe, gDdsxauPhk.exe.0.dr, BjTxJte.exe.8.dr
Source: Binary string: System.Core.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.pdb4 source: WERFDF5.tmp.dmp.17.dr
Source: Binary string: Accessibility.pdbMZ source: WERFDF5.tmp.dmp.17.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.ni.pdb source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Data.pdb, source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER211D.tmp.dmp.24.dr, WERFDF5.tmp.dmp.17.dr, WER4195.tmp.dmp.32.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.Statement of Account PDF.bat.exe.3949970.2.raw.unpack, V4uC3Iifq56IKQcfry.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Statement of Account PDF.bat.exe.7600000.7.raw.unpack, V4uC3Iifq56IKQcfry.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, Dr83W1h4x8JWr6EBI0.cs .Net Code: O3Bxfh3Ehd System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Statement of Account PDF.bat.exe Static PE information: 0x9CBFCD6A [Fri May 2 16:20:58 2053 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_07625534 pushfd ; retf 0_2_0762555F
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CC7E88 pushad ; iretd 0_2_06CC7E91
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CCFF58 push ebx; retf 0_2_06CCFF6A
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CE055C pushfd ; retf 0_2_06CE055D
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CE5ABB pushad ; retf 0_2_06CE5ACF
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_06CE8AB8 pushad ; retf 0_2_06CE8AC6
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 0_2_074A3E3A push ds; ret 0_2_074A3E3B
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_0101F04E push eax; retf 0594h 8_2_0101F085
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_01010C3D push edi; ret 8_2_01010CC2
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Code function: 8_2_01010C95 push edi; retf 8_2_01010C3A
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_068F7E88 pushad ; iretd 10_2_068F7E91
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A16471 push es; ret 10_2_06A16480
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06A1BB71 pushad ; retn 0006h 10_2_06A1BB72
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06D33E3A push ds; ret 10_2_06D33E3B
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06ED7D50 push eax; ret 10_2_06ED7D51
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 10_2_06ED8998 pushad ; retf 10_2_06ED8999
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_01400C3D push edi; ret 15_2_01400CC2
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Code function: 15_2_01400C95 push edi; retf 15_2_01400C3A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07403E3A push ds; ret 18_2_07403E3B
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07647E0A pushfd ; ret 18_2_07647E11
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07647D50 push eax; ret 18_2_07647D51
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_076489E8 pushfd ; retf 18_2_076489F1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 18_2_07648998 pushad ; retf 18_2_07648999
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_01640B4D push edi; ret 22_2_01640CC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_0164AA28 pushfd ; iretd 22_2_0164AA29
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_01640C95 push edi; retf 22_2_01640C3A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_07041658 push cs; retf 22_2_0704165B
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 22_2_070474B8 push esp; iretd 22_2_070474C1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06FF7E0B pushfd ; ret 25_2_06FF7E11
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06FF7D50 push eax; ret 25_2_06FF7D51
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06FF89E8 pushfd ; retf 25_2_06FF89F1
Source: Statement of Account PDF.bat.exe Static PE information: section name: .text entropy: 7.953860448849022
Source: gDdsxauPhk.exe.0.dr Static PE information: section name: .text entropy: 7.953860448849022
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, Dr83W1h4x8JWr6EBI0.cs High entropy of concatenated method names: 'SjpioJ9awJ', 'ea8iZ4gqug', 'MECi3HoQTF', 'UUHid4MrLo', 'WOCiBxwBPw', 'L4wiVOrOuJ', 'k9di7KbRoO', 'Ejbih30AsW', 'vJ6iLVQmpQ', 'Rpbiu8EQoF'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, f9AEeM92i5mlZ4Aopi.cs High entropy of concatenated method names: 'meFr6pyr5u', 'nHfrc9nAMw', 'lyWrssknHt', 'hH1rTnCNwj', 'DxUry1RSU1', 'Jqerb3RYy2', 'nBcrEnR9wl', 'UVorgZPqUS', 'Q4IrHKnd23', 'OnArUCyYnv'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, XhKCd9dHf21VeCLFyn.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wvXOmwRH8f', 'VwwOtZWtA0', 'BGCOzMrrx1', 'EwHi15WSlf', 'rx8i0akpVm', 'mF8iOqeqbQ', 'ySeiiBBgPv', 'PuCjFBPpf1uYIhfEx86'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, rX6SQY6VW0eXSFLNTj.cs High entropy of concatenated method names: 'dba3NyVIOh', 'kiY3PSBMu4', 'P6m3wY9Mhj', 'DPw32EjX88', 'M4W3vH9siM', 'Hg33JUdnOW', 'zlD3nwLFrY', 'qWJ35l50Xx', 'y0e3mosY2b', 'fIT3tg1x6r'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, UtFFE8xFLtnRoEVa8X.cs High entropy of concatenated method names: 'uiR07X6SQY', 'iW00heXSFL', 'wq90uMrTF4', 'rc70FTjdtm', 'tCm0GAKNXx', 'X2v0jjygSG', 'F7FIS9F3ktykQm0QfM', 'sf1PNNkxfOGfgslpEU', 'sUO00I1DK7', 'dFK0iI4nCn'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, pdtmeyKGkFH3nSCmAK.cs High entropy of concatenated method names: 'mjlBQWpSiX', 'LSkBpBUDRn', 'OkddkvB3lt', 'i61dyQIJrg', 'Bv3db0G7Xe', 'yO7dlG4HCZ', 'Ok9dEUNjxh', 'ClddgMT05Z', 'cNQd8G3GCV', 'x0UdHEfXvt'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, Q0vt0hOSjo6HIj4Rq3.cs High entropy of concatenated method names: 'wpaf5LLQ0', 'rxh4vk4J8', 'JJGIEh9jY', 'au8pi5SHf', 'jY0c0NTgk', 'QI3KLHWb7', 'fqD0V8SHmRenCUnAeq', 'BibAuLQfThhaKeeF73', 'jhhaiH8LJ', 'A0VSXwA2K'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, xIbxFy8gOG4vjPPpTX.cs High entropy of concatenated method names: 'Gto7DJUvE5', 'kyU7MG2yt4', 'ueO7fLuqhw', 'Boe74jeRuo', 'VLc7QVDYbq', 'K4u7I5buHj', 'GXk7pGLnWU', 'Lu576g7QMj', 'SwY7cWldwg', 'AnK7K6FSGv'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, eZfufPmGb7N5B4W3Lm.cs High entropy of concatenated method names: 'gr3asZTftr', 'SSMaTXr7In', 'NHgakd9eEU', 'xpFayH9wD2', 'tJjaNp49l4', 'fbrabuxhf7', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, KisC0xzkcjhkuYQIwX.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xCgRrVPMPl', 'xsDRGQ8Z3s', 'MoLRjGgEtM', 'oTwRq8BkKA', 'IN7RagxPns', 'mrIRRxq2Rw', 'AI4RSn3XqL'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, g6ofiB57OeE53f5hFC.cs High entropy of concatenated method names: 'Hr0aZ6pF48', 'vGga3CDhix', 'HGOad6QrhT', 'fqxaBkLrL9', 'M9MaVqctgg', 'h7ta7RpXFY', 'acjah2vvV9', 'v4YaLiL33q', 'inhauehEfJ', 'I0LaFHn3Ua'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, RXxm2vsjygSGRy8oEp.cs High entropy of concatenated method names: 'Hj0VoApRBd', 'EpXV3Is6y8', 'BX9VBTBBu1', 'Ps3V7KUEru', 'wf7VheH1aX', 'SANBveSRtM', 'x0nBJvCC2E', 'P3bBnFsEHh', 'usJB5ZqZbY', 'aheBmZjrRF'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, WAm6g4lQKCsssNesbm.cs High entropy of concatenated method names: 'G2SVwBKVmZ', 'FPAV25sjvh', 'YIJVvELQ20', 'ToString', 'zvcVJ011XC', 'g9hVnpffxq', 'kuKb8h1cDGGL8kkENXo', 'wTsqAw1i6GFNdUC3se7'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, TbdHuRwIDNx36coOJj.cs High entropy of concatenated method names: 'ToString', 'lstjUjAc0x', 'W3OjT3yVrG', 'Ohsjk9YJ4f', 'AF8jyv1cB5', 'TgLjbjODMF', 'GxKjl7KjOg', 'Kg9jENfd3j', 'o1AjgS7dF6', 'VqFj8ARHuM'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, TQUTGR01T6mTBxIIcxc.cs High entropy of concatenated method names: 'XK6RDu5MTi', 'V6IRMuKAU5', 'kVaRfPSMyQ', 'my3R4anKEs', 'DuPRQuvfoD', 'AjXRId9MqP', 'IwfRpFS6oN', 'uB6R6LdJEW', 'JbbRcsrFkT', 'feFRKAI8YS'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, ENrO1Acq9MrTF4Rc7T.cs High entropy of concatenated method names: 'Br1d4U2XNV', 'D7LdIiYElt', 'Pqad6dvGmT', 'cVudcxCHRi', 'qdDdGhKOXv', 'CQpdjAafLZ', 'l0jdqy1fFL', 'XK9daQCAto', 'aSRdRjfgZS', 'TDSdSgfZSC'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, lG6NYlJTADKPBmgkWy.cs High entropy of concatenated method names: 'wKZq5ZmjUG', 'cnUqtNQIAH', 'L2Wa1YIipr', 'gPea02c2kb', 'J6TqUnHsnP', 'SJBqCOEjKH', 'PmCq9nNn9W', 'GauqNG66D2', 'SeTqPGG8ZJ', 'qkQqwsd87W'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, NBhtei0i2kd7O8CGNMg.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KPgSN9EkJV', 'doRSPlPd0u', 'zN8Sw6ThTq', 'zPIS2BVR5X', 'wxlSvNJdsb', 'znhSJC20vq', 'GlpSnIyIFR'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, k3txY0tGWeAPhqr1oN.cs High entropy of concatenated method names: 'W33R05dTbP', 'oLhRiPXw7K', 'HGURx9iVLc', 'nhjRZRETq3', 'hHCR3w8nvn', 'pvLRBNxFie', 'uaERVPPIZ7', 'bG9anCyrQF', 'lj5a5OckWd', 'U7bamkHuow'
Source: 0.2.Statement of Account PDF.bat.exe.45bb430.4.raw.unpack, PuRLoy3ScatIm3wqH1.cs High entropy of concatenated method names: 'Dispose', 'wDp0mZmijB', 'MRKOTudN99', 'crtHHIUsxe', 'cd60tofiB7', 'beE0z53f5h', 'ProcessDialogKey', 'mCoO1ZfufP', 'ob7O0N5B4W', 'fLmOOh3txY'
Source: 0.2.Statement of Account PDF.bat.exe.3949970.2.raw.unpack, V4uC3Iifq56IKQcfry.cs High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.Statement of Account PDF.bat.exe.3949970.2.raw.unpack, vpednoN8EZgsJ4TDwx.cs High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.Statement of Account PDF.bat.exe.7600000.7.raw.unpack, V4uC3Iifq56IKQcfry.cs High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.Statement of Account PDF.bat.exe.7600000.7.raw.unpack, vpednoN8EZgsJ4TDwx.cs High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Drops PE files
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe File created: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Jump to dropped file
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe File created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp690.tmp"
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BjTxJte Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BjTxJte Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe File opened: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe File opened: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Statement of Account PDF.bat.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gDdsxauPhk.exe PID: 7440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 8032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7400, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: 2940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: 26D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: 8F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: 78F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: 9F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: AF50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: B480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: 8F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: 1010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: 2F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: 2CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: 7F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: 2540000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: 2260000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: 8160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: 9160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: 9350000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: A350000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: A940000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: 8160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: 1400000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: 3030000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory allocated: 2E60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: FE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2BD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 1270000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 89F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 99F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 9BE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: ABE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: B140000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: C140000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: D140000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 1640000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 34F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 1940000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: E80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2A40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 27A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 8710000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 9710000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 9900000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: A900000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: AF80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: BF80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: CF80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2610000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2900000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 4900000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199874 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199765 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199656 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199546 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199437 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199328 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199214 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199109 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198999 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198890 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198781 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198671 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198551 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198421 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198312 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198192 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198062 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1197952 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1197839 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1197733 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1197624 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1197514 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199887
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199770
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199637
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199527
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199418
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199308
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199199
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199090
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198980
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198871
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198746
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198595
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198465
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198355
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198245
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198136
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198027
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197918
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197808
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197691
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197558
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197415
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197257
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197142
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1196894
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1196150
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1196023
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195621
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195511
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195402
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195292
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195183
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195072
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1194961
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199949
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199718
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199609
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199498
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199390
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199281
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199170
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199062
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198953
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198843
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198734
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198624
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198515
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198406
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198295
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198187
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198078
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197968
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197856
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197734
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197625
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197515
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197406
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199951
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199839
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199609
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199473
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199335
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199219
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199105
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198956
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198411
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198281
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198172
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198062
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197953
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197844
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197734
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197621
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197500
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197391
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197276
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197156
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197047
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196936
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196594
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196484
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196375
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4027 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6023 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Window / User API: threadDelayed 4363 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Window / User API: threadDelayed 5478 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Window / User API: threadDelayed 4252
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Window / User API: threadDelayed 5575
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 5084
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 4765
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 6549
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 3282
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172 Thread sleep count: 4027 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -36893488147419080s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -99763s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -99316s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -99187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -99070s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -98953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -98841s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -98734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -98624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -98515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -98404s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -98296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -98184s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -98078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -97968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -97859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -97749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -97640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -97531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -97421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -97312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -97203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -97087s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -96984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1199874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1199765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1199656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1199546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1199437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1199328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1199214s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1199109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1198999s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1198890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1198781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1198671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1198551s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1198421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1198312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1198192s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1198062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1197952s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1197839s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1197733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1197624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe TID: 7524 Thread sleep time: -1197514s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -99657s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -99423s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -99077s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -98936s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -98308s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -98203s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -98094s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -97969s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -95957s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -95829s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1199887s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1199770s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1199637s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1199527s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1199418s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1199308s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1199199s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1199090s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1198980s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1198871s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1198746s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1198595s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1198465s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1198355s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1198245s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1198136s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1198027s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1197918s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1197808s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1197691s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1197558s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1197415s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1197257s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1197142s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1196894s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1196150s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1196023s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1195621s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1195511s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1195402s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1195292s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1195183s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1195072s >= -30000s
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe TID: 7884 Thread sleep time: -1194961s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7236 Thread sleep count: 5084 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7236 Thread sleep count: 4765 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -99762s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -99046s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -98937s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -98712s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -98594s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -98484s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -98375s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -98266s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -98141s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -98016s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -97797s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -97687s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -97578s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -97469s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -97135s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1199949s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1199828s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1199718s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1199609s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1199498s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1199390s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1199281s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1199170s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1199062s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1198953s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1198843s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1198734s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1198624s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1198515s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1198406s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1198295s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1198187s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1198078s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1197968s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1197856s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1197734s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1197625s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1197515s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7212 Thread sleep time: -1197406s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -99637s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -98953s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -98844s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -98719s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -98610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -98329s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -98154s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -98042s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -97723s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -97594s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -97485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -97358s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -97163s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1199951s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1199839s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1199719s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1199609s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1199473s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1199335s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1199219s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1199105s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1198956s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1198828s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1198719s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1198411s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1198281s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1198172s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1198062s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1197953s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1197844s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1197734s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1197621s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1197500s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1197391s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1197276s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1197156s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1197047s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1196936s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1196828s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1196719s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1196594s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1196484s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7948 Thread sleep time: -1196375s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 99763 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 99316 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 99187 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 99070 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 98953 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 98841 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 98734 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 98624 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 98515 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 98404 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 98296 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 98184 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 98078 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 97968 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 97859 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 97749 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 97640 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 97531 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 97421 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 97312 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 97203 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 97087 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 96984 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199874 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199765 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199656 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199546 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199437 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199328 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199214 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1199109 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198999 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198890 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198781 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198671 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198551 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198421 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198312 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198192 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1198062 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1197952 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1197839 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1197733 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1197624 Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Thread delayed: delay time: 1197514 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 99657
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 99423
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 99077
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 98936
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 98828
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 98308
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 98203
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 98094
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 97969
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 95957
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 95829
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199887
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199770
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199637
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199527
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199418
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199308
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199199
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1199090
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198980
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198871
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198746
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198595
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198465
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198355
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198245
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198136
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1198027
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197918
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197808
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197691
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197558
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197415
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197257
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1197142
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1196894
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1196150
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1196023
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195621
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195511
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195402
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195292
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195183
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1195072
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Thread delayed: delay time: 1194961
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99762
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99313
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99156
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99046
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98937
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98712
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98594
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98484
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98375
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98266
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98141
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98016
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97906
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97797
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97687
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97578
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97469
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97359
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97250
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97135
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199949
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199718
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199609
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199498
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199390
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199281
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199170
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199062
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198953
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198843
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198734
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198624
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198515
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198406
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198295
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198187
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198078
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197968
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197856
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197734
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197625
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197515
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197406
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99637
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99313
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98953
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98844
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98329
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98154
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98042
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97723
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97594
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97358
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97163
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199951
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199839
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199609
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199473
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199335
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199219
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199105
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198956
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198411
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198281
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198172
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1198062
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197953
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197844
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197734
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197621
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197500
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197391
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197276
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197156
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1197047
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196936
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196594
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196484
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1196375
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BjTxJte.exe_f5c09dd75b90d612af8c658c8837992c387ee89_843aacda_4690c535-c6af-41e6-8128-f3000ded106c\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gDdsxauPhk.exe_e2c8de6e9dfbc3bf198524a8a8bae3ea56c2edb2_cb724c00_6c828731-bc0c-4d10-93b3-5ed4934f0644\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: BjTxJte.exe, 00000016.00000002.1923322227.0000000001709000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: BjTxJte.exe, 00000012.00000002.1852257669.00000000010B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Statement of Account PDF.bat.exe, 00000008.00000002.4073522473.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, gDdsxauPhk.exe, 0000000F.00000002.4074399117.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001E.00000002.4077118774.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement of Account PDF.bat.exe"
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe"
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement of Account PDF.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Memory written: C:\Users\user\Desktop\Statement of Account PDF.bat.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Memory written: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory written: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory written: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement of Account PDF.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp690.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Process created: C:\Users\user\Desktop\Statement of Account PDF.bat.exe "C:\Users\user\Desktop\Statement of Account PDF.bat.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp216B.tmp"
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe"
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Process created: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe "C:\Users\user\AppData\Roaming\gDdsxauPhk.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp44D2.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gDdsxauPhk" /XML "C:\Users\user\AppData\Local\Temp\tmp6598.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: Statement of Account PDF.bat.exe, 00000008.00000002.4082420582.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Users\user\Desktop\Statement of Account PDF.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Users\user\Desktop\Statement of Account PDF.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 25.2.BjTxJte.exe.4798530.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.BjTxJte.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4963d80.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4928d60.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.BjTxJte.exe.47d3550.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.BjTxJte.exe.47d3550.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4928d60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.BjTxJte.exe.4798530.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4963d80.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000002.4081952252.000000000294B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4080192144.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4080192144.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1916411729.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1856813364.0000000004928000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1945703172.0000000004798000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4080192144.00000000030CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1928490064.000000000356C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1928490064.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4082420582.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1928490064.0000000003574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1700653245.0000000004337000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement of Account PDF.bat.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement of Account PDF.bat.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gDdsxauPhk.exe PID: 7720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 8032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7752, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.7600000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.3949970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.3949970.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.7600000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1700653245.0000000003949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1710196910.0000000007600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Statement of Account PDF.bat.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\gDdsxauPhk.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 25.2.BjTxJte.exe.4798530.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.BjTxJte.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4963d80.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4928d60.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.BjTxJte.exe.47d3550.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.BjTxJte.exe.47d3550.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4928d60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.BjTxJte.exe.4798530.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4963d80.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000002.4081952252.000000000294B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4080192144.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1916411729.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1856813364.0000000004928000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1945703172.0000000004798000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1928490064.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4082420582.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1700653245.0000000004337000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement of Account PDF.bat.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement of Account PDF.bat.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gDdsxauPhk.exe PID: 7720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 8032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7752, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 25.2.BjTxJte.exe.4798530.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.BjTxJte.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4963d80.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4928d60.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.BjTxJte.exe.47d3550.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.BjTxJte.exe.47d3550.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4928d60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.BjTxJte.exe.4798530.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.BjTxJte.exe.4963d80.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43bdcb0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.43f8cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000002.4081952252.000000000294B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4080192144.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4080192144.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1916411729.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1856813364.0000000004928000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1945703172.0000000004798000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4080192144.00000000030CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1928490064.000000000356C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1928490064.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4082420582.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1928490064.0000000003574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1700653245.0000000004337000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement of Account PDF.bat.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement of Account PDF.bat.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gDdsxauPhk.exe PID: 7720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 8032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7752, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.7600000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.3949970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.3949970.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement of Account PDF.bat.exe.7600000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1700653245.0000000003949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1710196910.0000000007600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432040 Sample: Statement of Account PDF.bat.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 61 mail.fascia-arch.com 2->61 63 api.ipify.org 2->63 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Sigma detected: Scheduled temp file as task from temp location 2->73 75 12 other signatures 2->75 8 Statement of Account PDF.bat.exe 7 2->8         started        12 gDdsxauPhk.exe 2->12         started        14 BjTxJte.exe 2->14         started        16 BjTxJte.exe 2->16         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\gDdsxauPhk.exe, PE32 8->57 dropped 59 C:\Users\user\AppData\Local\Temp\tmp690.tmp, XML 8->59 dropped 91 Adds a directory exclusion to Windows Defender 8->91 93 Injects a PE file into a foreign processes 8->93 18 Statement of Account PDF.bat.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        31 2 other processes 8->31 95 Multi AV Scanner detection for dropped file 12->95 97 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->97 99 Machine Learning detection for dropped file 12->99 25 gDdsxauPhk.exe 12->25         started        33 3 other processes 12->33 27 BjTxJte.exe 14->27         started        35 2 other processes 14->35 29 BjTxJte.exe 16->29         started        37 2 other processes 16->37 signatures6 process7 dnsIp8 65 mail.fascia-arch.com 50.87.195.61, 49736, 49739, 49753 UNIFIEDLAYER-AS-1US United States 18->65 67 api.ipify.org 104.26.12.205, 443, 49734, 49737 CLOUDFLARENETUS United States 18->67 53 C:\Users\user\AppData\Roaming\...\BjTxJte.exe, PE32 18->53 dropped 55 C:\Users\user\...\BjTxJte.exe:Zone.Identifier, ASCII 18->55 dropped 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->77 79 Tries to steal Mail credentials (via file / registry access) 18->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->81 83 Loading BitLocker PowerShell Module 23->83 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        85 Tries to harvest and steal ftp login credentials 29->85 87 Tries to harvest and steal browser information (history, passwords, etc) 29->87 89 Installs a global keyboard hook 29->89 43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
50.87.195.61
 mail.fascia-arch.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
api.ipify.org 104.26.12.205 true
mail.fascia-arch.com 50.87.195.61 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high