Windows Analysis Report
INVOICE KAD-0138-2024.exe

Overview

General Information

Sample name: INVOICE KAD-0138-2024.exe
Analysis ID: 1436311
MD5: 1e75210f55ead7fad6cf0f809dfb0a00
SHA1: 393f92750e6aff4b439f4780c49e7b0454c4a010
SHA256: c75750db51edf7db96de6dc7834621ed37d1c81a587ea076c16dcaeb190d6bf8
Tags: exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: INVOICE KAD-0138-2024.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Avira: detection malicious, Label: HEUR/AGEN.1305452
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Avira: detection malicious, Label: HEUR/AGEN.1305452
Found malware configuration
Source: 17.2.BjTxJte.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.ipr-co.org", "Username": "info@ipr-co.org", "Password": "IPRco@100102@"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Virustotal: Detection: 58% Perma Link
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Virustotal: Detection: 58% Perma Link
Multi AV Scanner detection for submitted file
Source: INVOICE KAD-0138-2024.exe Virustotal: Detection: 58% Perma Link
Source: INVOICE KAD-0138-2024.exe ReversingLabs: Detection: 60%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: INVOICE KAD-0138-2024.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: INVOICE KAD-0138-2024.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: INVOICE KAD-0138-2024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 4x nop then jmp 04FFCD5Ch 20_2_04FFC4F0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 4x nop then jmp 04FFCD5Ch 20_2_04FFC608

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 185.55.225.242:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.55.225.242 185.55.225.242
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 185.55.225.242:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: mail.ipr-co.org
Source: BjTxJte.exe, 00000011.00000002.2039746976.0000000006432000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C6C000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034CD000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2029916623.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2903042286.00000000028CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipr-co.org
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C6C000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034CD000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2029916623.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2903042286.00000000028CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.ipr-co.org
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2928919324.00000000061EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co8
Source: BjTxJte.exe, 0000001A.00000002.2897390534.0000000000C29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.orb
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2899787195.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, INVOICE KAD-0138-2024.exe, 00000007.00000002.2899787195.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2929699656.0000000006E0B000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.0000000001535000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.0000000001573000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2039746976.0000000006432000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2029916623.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2903042286.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2897390534.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2897390534.0000000000C29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2899787195.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, INVOICE KAD-0138-2024.exe, 00000007.00000002.2899787195.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2929699656.0000000006E0B000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.0000000001535000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.0000000001573000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2039746976.0000000006432000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2029916623.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2903042286.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2897390534.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2897390534.0000000000C29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: INVOICE KAD-0138-2024.exe, 00000000.00000002.1679743209.0000000002591000.00000004.00000800.00020000.00000000.sdmp, INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 00000008.00000002.1730665096.0000000003141000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.0000000003431000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000000E.00000002.1890622267.00000000027C6000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2029916623.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.2029897769.00000000023D6000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2903042286.000000000285C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2928919324.00000000061EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: BjTxJte.exe, 00000011.00000002.2017242278.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lenc
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2899787195.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, INVOICE KAD-0138-2024.exe, 00000007.00000002.2899787195.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.0000000001535000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.0000000001573000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.00000000015BF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2029916623.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2903042286.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2897390534.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2897390534.0000000000C29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2899787195.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, INVOICE KAD-0138-2024.exe, 00000007.00000002.2899787195.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.0000000001535000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.0000000001573000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.00000000015BF000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2029916623.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2017242278.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2903042286.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2897390534.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2897390534.0000000000C29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: INVOICE KAD-0138-2024.exe, 00000000.00000002.1681204110.000000000376E000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.1983065671.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: INVOICE KAD-0138-2024.exe, 00000000.00000002.1681204110.000000000376E000.00000004.00000800.00020000.00000000.sdmp, INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.0000000003431000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2029916623.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.1983065671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2903042286.000000000285C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.0000000003431000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2029916623.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2903042286.000000000285C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.0000000003431000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000011.00000002.2029916623.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000001A.00000002.2903042286.000000000285C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49742 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, cPKWk.cs .Net Code: YMhsmU
Source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.raw.unpack, cPKWk.cs .Net Code: YMhsmU
Installs a global keyboard hook
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\cplIqbJaku.exe
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.BjTxJte.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: INVOICE KAD-0138-2024.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 0_2_00BFEFC4 0_2_00BFEFC4
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_00BF4AC8 7_2_00BF4AC8
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_00BFEA60 7_2_00BFEA60
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_00BFADF8 7_2_00BFADF8
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_00BF3EB0 7_2_00BF3EB0
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_00BF41F8 7_2_00BF41F8
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_06562750 7_2_06562750
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_06567D50 7_2_06567D50
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_065665D0 7_2_065665D0
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_06565580 7_2_06565580
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_0656B200 7_2_0656B200
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_0656C148 7_2_0656C148
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_06567670 7_2_06567670
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_06565CD8 7_2_06565CD8
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_0656E378 7_2_0656E378
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_06560040 7_2_06560040
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_06651DC2 7_2_06651DC2
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_06651DC8 7_2_06651DC8
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_0656003E 7_2_0656003E
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 8_2_015AEFC4 8_2_015AEFC4
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_01944AC8 12_2_01944AC8
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_0194EA2D 12_2_0194EA2D
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_0194ADE8 12_2_0194ADE8
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_01943EB0 12_2_01943EB0
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_019441F8 12_2_019441F8
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070A7D50 12_2_070A7D50
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070A5580 12_2_070A5580
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070A65D0 12_2_070A65D0
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070A3440 12_2_070A3440
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070AC148 12_2_070AC148
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070AB1F0 12_2_070AB1F0
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070A7670 12_2_070A7670
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070A5CC7 12_2_070A5CC7
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070AE378 12_2_070AE378
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070A0040 12_2_070A0040
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_07191DC8 12_2_07191DC8
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_07191DC3 12_2_07191DC3
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_070A003F 12_2_070A003F
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_009CEFC4 14_2_009CEFC4
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_04C60040 14_2_04C60040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_04C60007 14_2_04C60007
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_010DE65D 17_2_010DE65D
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_010D4AC8 17_2_010D4AC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_010DAD98 17_2_010DAD98
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_010D3EB0 17_2_010D3EB0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_010D41F8 17_2_010D41F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_010DAD93 17_2_010DAD93
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066B3448 17_2_066B3448
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066B65D8 17_2_066B65D8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066B5588 17_2_066B5588
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066BB208 17_2_066BB208
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066BC150 17_2_066BC150
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066B7D58 17_2_066B7D58
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066B7678 17_2_066B7678
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066BE380 17_2_066BE380
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066B0040 17_2_066B0040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066B5CE0 17_2_066B5CE0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_066B0033 17_2_066B0033
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_00A0EFC4 20_2_00A0EFC4
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_04FF9418 20_2_04FF9418
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_04FF7358 20_2_04FF7358
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_04FF9DC8 20_2_04FF9DC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_04FF9DB9 20_2_04FF9DB9
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_04FF8FE0 20_2_04FF8FE0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_04FF8FD0 20_2_04FF8FD0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_04FF0BC0 20_2_04FF0BC0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_04FF0BB0 20_2_04FF0BB0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_04FF8BA8 20_2_04FF8BA8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_04FF8B98 20_2_04FF8B98
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_00DFE931 26_2_00DFE931
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_00DF4AC8 26_2_00DF4AC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_00DF3EB0 26_2_00DF3EB0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_00DF41F8 26_2_00DF41F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_00DFACD8 26_2_00DFACD8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_06533448 26_2_06533448
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_06537D58 26_2_06537D58
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_065365D8 26_2_065365D8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_06535588 26_2_06535588
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_0653C150 26_2_0653C150
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_0653B1F8 26_2_0653B1F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_06537678 26_2_06537678
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_06535CCF 26_2_06535CCF
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_0653E380 26_2_0653E380
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_06530040 26_2_06530040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_06530006 26_2_06530006
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_06621BA2 26_2_06621BA2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_06621BA8 26_2_06621BA8
Sample file is different than original file name gathered from version info
Source: INVOICE KAD-0138-2024.exe, 00000000.00000002.1688237868.0000000005950000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs INVOICE KAD-0138-2024.exe
Source: INVOICE KAD-0138-2024.exe, 00000000.00000002.1666128131.000000000084E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs INVOICE KAD-0138-2024.exe
Source: INVOICE KAD-0138-2024.exe, 00000000.00000002.1687128273.0000000004D90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs INVOICE KAD-0138-2024.exe
Source: INVOICE KAD-0138-2024.exe, 00000000.00000002.1679743209.0000000002591000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs INVOICE KAD-0138-2024.exe
Source: INVOICE KAD-0138-2024.exe, 00000000.00000002.1679743209.0000000002628000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef54f7f17-284c-4a27-976a-0a5fc6b31c33.exe4 vs INVOICE KAD-0138-2024.exe
Source: INVOICE KAD-0138-2024.exe, 00000000.00000002.1681204110.000000000376E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef54f7f17-284c-4a27-976a-0a5fc6b31c33.exe4 vs INVOICE KAD-0138-2024.exe
Source: INVOICE KAD-0138-2024.exe, 00000000.00000002.1681204110.000000000376E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs INVOICE KAD-0138-2024.exe
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2896972241.0000000000938000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs INVOICE KAD-0138-2024.exe
Source: INVOICE KAD-0138-2024.exe Binary or memory string: OriginalFilenameGsQc.exe8 vs INVOICE KAD-0138-2024.exe
Uses 32bit PE files
Source: INVOICE KAD-0138-2024.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.BjTxJte.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: INVOICE KAD-0138-2024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cplIqbJaku.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BjTxJte.exe.7.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, a0fXIFmNbtDkJMkW8u.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, kj93586a6eCp1ULOnC.cs Security API names: _0020.SetAccessControl
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, kj93586a6eCp1ULOnC.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, kj93586a6eCp1ULOnC.cs Security API names: _0020.AddAccessRule
Source: 0.2.INVOICE KAD-0138-2024.exe.4ee0000.9.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.INVOICE KAD-0138-2024.exe.25f7478.0.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.INVOICE KAD-0138-2024.exe.25e6800.2.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@37/20@2/2
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe File created: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe File created: C:\Users\user\AppData\Local\Temp\tmpFEC6.tmp Jump to behavior
Source: INVOICE KAD-0138-2024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: INVOICE KAD-0138-2024.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: INVOICE KAD-0138-2024.exe Virustotal: Detection: 58%
Source: INVOICE KAD-0138-2024.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe File read: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe "C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe"
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cplIqbJaku.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmpFEC6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe "C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\cplIqbJaku.exe C:\Users\user\AppData\Roaming\cplIqbJaku.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmp1F10.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process created: C:\Users\user\AppData\Roaming\cplIqbJaku.exe "C:\Users\user\AppData\Roaming\cplIqbJaku.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmp5E3C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmp8193.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cplIqbJaku.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmpFEC6.tmp" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe "C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmp1F10.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process created: C:\Users\user\AppData\Roaming\cplIqbJaku.exe "C:\Users\user\AppData\Roaming\cplIqbJaku.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmp5E3C.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmp8193.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: INVOICE KAD-0138-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: INVOICE KAD-0138-2024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.INVOICE KAD-0138-2024.exe.4ee0000.9.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.INVOICE KAD-0138-2024.exe.25f7478.0.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.INVOICE KAD-0138-2024.exe.25e6800.2.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
.NET source code contains potential unpacker
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, kj93586a6eCp1ULOnC.cs .Net Code: xduIZMEaQB System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 0_2_00BF47D1 push ebp; retf 0_2_00BF4835
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_00BFEEF8 pushad ; retn 064Fh 7_2_00BFEF91
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_00BF0C3D push edi; ret 7_2_00BF0CC2
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_06651658 push cs; retf 7_2_0665165B
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Code function: 7_2_0665BAC1 push es; ret 7_2_0665BAD0
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_0194EEE8 pushad ; retn 0703h 12_2_0194EF91
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_01940B4D push edi; ret 12_2_01940CC2
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Code function: 12_2_07191653 push cs; retf 12_2_0719165B
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_010DEDC8 pushad ; retn 0664h 17_2_010DEE71
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_010D0B4F push edi; ret 17_2_010D0CC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 17_2_010D0C95 push edi; retf 17_2_010D0C3A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_00DFEDC8 pushad ; retn 064Ch 26_2_00DFEE71
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_00DF0B4F push edi; ret 26_2_00DF0CC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_00DF0C95 push edi; retf 26_2_00DF0C3A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_06626D62 push es; ret 26_2_06626D70
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 26_2_0662B4A1 push es; ret 26_2_0662B4B0
Source: INVOICE KAD-0138-2024.exe Static PE information: section name: .text entropy: 7.974813070546288
Source: cplIqbJaku.exe.0.dr Static PE information: section name: .text entropy: 7.974813070546288
Source: BjTxJte.exe.7.dr Static PE information: section name: .text entropy: 7.974813070546288
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, N0AY5RAqCBh0PEsdV1c.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fUOMK4e1Aa', 'twlMRZNAkF', 'pSPMufocVe', 'k1qMs5vluI', 'X71MvQS5cY', 'HBqMbhTwgb', 'tp2MeAsmAP'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, HL1c1WKDUoYeNICoY5.cs High entropy of concatenated method names: 'Eq8jTqADwI', 'iBBj32E71W', 'a8wjKrM3BA', 'PSUjRf74AS', 'RRgjwAObEX', 'mtYjaCxkPk', 't14jyAlg0V', 'tAwjBA3jVM', 'wjFjEObIxc', 'p6CjSO28YH'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, OnDtZmPM4Nq3y5n6SI.cs High entropy of concatenated method names: 'oQQpmGULlG', 'uDepl22hc1', 'OcNpJGmbYx', 'A84pwm0Yrj', 'NAOpyY6TRy', 'gsOpB9F5nm', 'vilpSsushg', 'R0ep5xWS3p', 'vsLpTJ2Hdx', 'f1Dp8BElb0'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, y4VYt7z1ZBLJE3PdqZ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y60opc2hbZ', 'nugoj1lSXl', 'Qf5oCXx177', 'fmuoNimMrP', 'TY8orU39aY', 'G9sooOC25r', 'lpboM5GhJt'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, N1QWU7kepnAr9EWwrL.cs High entropy of concatenated method names: 'qRRr9VGP10', 'egarG4qbCD', 'U51rYqG2sV', 'z9BrFQF9Ub', 'jaQr71OXv0', 'cKnrtExVZ7', 'oS2r6Jw8q9', 'n4jrX3gtKK', 'DVfr42keII', 'Et7rD1ePHP'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, gwXDIGJbemAxWVxQfu.cs High entropy of concatenated method names: 'MeC7iV0ulW', 'pqX7GtM3W7', 'sj77FfUQK2', 'HWK7tuTnQc', 'yVF76eV6qd', 'ia7Fvc1KyW', 'akZFbShDKy', 'AxkFeHUMpi', 'rJoFk3wgXC', 'rOlFxjnPA9'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, OhrZQ7bgsKfFeGZyaM.cs High entropy of concatenated method names: 'D9vNkglP4F', 'EvMN2Ufmwq', 'blCrHQ0iy4', 'SlDrAd2WVA', 'zSkN88aqUi', 'nQPN3SsdAI', 'UttNP4rBaO', 'KRUNKwj3LQ', 'sfQNRTnLjA', 'LipNujFwxE'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, K7JNIhxxL4y3OWV7EP.cs High entropy of concatenated method names: 'YjkrJqC5Ut', 'cAZrwHfjeW', 'q72raIUMfk', 'zLLryNjhag', 'IZdrKZXyJ0', 'nqOrBgEqBv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, T5IamDn7KnhaoTmM6K.cs High entropy of concatenated method names: 'aXItOtyKBh', 'IPOtWH3uwR', 'S3RtZKuxcJ', 'OW9tdZDQcm', 'JDgthcWlOs', 'tMdt1FCnnA', 'xSrtfJsFMh', 'ztvtmjjE3H', 'vpCtl1P3nb', 'd0pt0C5n4j'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, KsFkbhAHn0HDYQgHQWi.cs High entropy of concatenated method names: 'j49oOWfx5e', 'FG5oWa4pZ3', 'Tc0oZM3x9m', 'vbeod8cveF', 'gtgoh6pG0n', 'Iqho1FqqAb', 'MnfofCpg5f', 'vBGomXhJq5', 'U2soln4VOF', 'kHoo0As2vD'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, bYSUvUSMperMDteCjW.cs High entropy of concatenated method names: 'Xcbt9l4gdN', 'ElXtYvJ2kh', 'm6Bt7RhK4i', 'vA872iS61F', 'vIH7zLEljc', 'H1PtHbFXgh', 'exltALSH33', 'yTGtUClTkr', 'XNXtqKcHHw', 'o8FtI2cBle'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, fDQr3nlGMvZ9fbaJjq.cs High entropy of concatenated method names: 'BSDYdHdcKq', 'oHdY1B5Euo', 'FgSYmCapCl', 'mi9YlntToj', 'WJCYjq7eSI', 'IRsYCFUuFN', 'RF6YNVXu5y', 'NiRYrbQ3nF', 'xHjYodUiwC', 'VhWYMc1s2j'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, a0fXIFmNbtDkJMkW8u.cs High entropy of concatenated method names: 'Im7GKGu20c', 'h4JGRvvfgY', 'GyyGuhErlD', 'qDcGsUOdiT', 'LARGvepySh', 'TyaGbkOsAL', 'q5GGehE9ij', 'NHHGkljepF', 'FhgGxeydQ3', 'XfmG2haE4Z'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, kj93586a6eCp1ULOnC.cs High entropy of concatenated method names: 'V6IqilugO5', 'gsBq9o0iWL', 'ElVqG87boP', 'mD3qYhA0ZX', 'j1AqF5xCtX', 'Mbjq7D2RBk', 'cnhqt6uqk9', 'GfWq6oRtBB', 'H91qX6lUVp', 'g07q4UEBC0'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, A0RFJyGYwMDTWdy6Wu.cs High entropy of concatenated method names: 'Dispose', 'BtlAxTb4pa', 'so7UwOv84n', 'HgxLLfaOdr', 'jn1A2QWU7e', 'nnAAzr9EWw', 'ProcessDialogKey', 'rLEUH7JNIh', 'XL4UAy3OWV', 'iEPUUfZOwk'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, CZOwka2JMCCrwAjSb9.cs High entropy of concatenated method names: 'w8joAHITSj', 'ixboqhHsBS', 'DfJoI4G2DB', 'TVuo9DZ83R', 'R2koGC2YI7', 'dkQoFK0aGf', 'quMo7KU9EZ', 'pijreW2oIe', 'ROWrkmjUi3', 'Rntrx4eMHw'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, KEloouUkhDrJxanf6p.cs High entropy of concatenated method names: 'h8LZEFoj9', 'wEjd9X0RM', 'sR91dPLy9', 'kQRfBrQ6B', 'hKalZlX3m', 'Hgs0EdhbL', 'OZmeD1g8ldWg9XKyUq', 'aCkflouhRDd1fpVV7H', 'vHrrM16HN', 'SkcMCeIRI'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, pcDuFFAUPfgx8DwcowC.cs High entropy of concatenated method names: 'qaAMOCdSOP', 'Nk2MWZLrQ6', 'IDrMZEcGpv', 'saionrqBUl6guLiIYtg', 'DeyPRdqKunxMQl7W5fl', 'PG7fLmqEjq3rYrGkkI4', 'l1Ve6jqnlgo7sFxs0T3'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, C3bJ34wtvgdqHaHuio.cs High entropy of concatenated method names: 'YUN1fee9VMTTdLttCD1', 'LePBnaeWUmUrr6lQhkp', 'FY67rRayFn', 'UIK7o4QPPu', 'ndf7MGqEwN', 'yJcxsheDVh5j8FIAYVs', 'Am6vCuehFJu3FT22wdc'
Source: 0.2.INVOICE KAD-0138-2024.exe.5950000.10.raw.unpack, OFyiEBIilPr5lLlLZi.cs High entropy of concatenated method names: 'lwHAt0fXIF', 'qbtA6DkJMk', 'MGMA4vZ9fb', 'HJjADq3bGw', 'Bk3Ajq0GwX', 'nIGACbemAx', 'fs1FvnbjfgojG3JTMT', 'CpMZC71KbXJ8cFT8kf', 'GuTAA2UiBg', 'LpXAq7CVGs'
Source: 0.2.INVOICE KAD-0138-2024.exe.4ee0000.9.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.INVOICE KAD-0138-2024.exe.25f7478.0.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.INVOICE KAD-0138-2024.exe.25e6800.2.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Drops PE files
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe File created: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe File created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmpFEC6.tmp"
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BjTxJte Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BjTxJte Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe File opened: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe File opened: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: INVOICE KAD-0138-2024.exe PID: 7420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cplIqbJaku.exe PID: 7824, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: 2590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: 4590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: 59D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: 69D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: 6C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: 7C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: 2BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: 1220000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Memory allocated: 15A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Memory allocated: 3140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Memory allocated: 2F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Memory allocated: 65E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Memory allocated: 75E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Memory allocated: 7820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Memory allocated: 8820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Memory allocated: 1900000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Memory allocated: 3430000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Memory allocated: 3250000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 9C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2750000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2420000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 5B10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 6B10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 6D50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 7D50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 1090000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2D00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2B10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 9E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2360000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 4360000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 5A50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 6A50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 6C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 7C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: D60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2850000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 26F0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199953 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199843 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199733 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199625 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199516 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199406 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199293 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199176 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199047 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1198935 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1198625 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1198514 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1198405 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1198278 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1199003
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198869
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198763
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198655
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198547
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198416
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198310
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198194
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198076
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1197969
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1197834
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1197703
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1197594
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1197484
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199938
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199813
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199688
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199578
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199469
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3810 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4444 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Window / User API: threadDelayed 7082 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Window / User API: threadDelayed 2734 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Window / User API: threadDelayed 3354
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Window / User API: threadDelayed 6491
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 3124
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 2303
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 2109
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 7723
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 7440 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620 Thread sleep count: 3810 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620 Thread sleep count: 138 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7856 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -39660499758475511s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -99851s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -98500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -98390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -98279s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -98171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -98062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -97953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -97844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -97697s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -97585s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -97465s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -97359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -97141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -97031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -96922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -96810s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -96703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -96594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -96471s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -96344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -96234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -96125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -96015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -95906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -95793s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -95672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -95562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -95450s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -95344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -95234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -93736s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -93579s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -93453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -93342s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -93204s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -93078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -92924s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1199953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1199843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1199733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1199625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1199516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1199406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1199293s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1199176s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1199047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1198935s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1198625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1198514s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1198405s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe TID: 8012 Thread sleep time: -1198278s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7920 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -39660499758475511s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -99444s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 5996 Thread sleep count: 3354 > 30
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 5996 Thread sleep count: 6491 > 30
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -99327s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -98983s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -98874s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -98762s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -98655s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -98545s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -98020s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -97883s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -97763s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -93725s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -93624s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -93473s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -93344s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -93224s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -93094s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -92983s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -92873s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -92763s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -92647s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -92525s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -92405s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -92297s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -92187s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -92076s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -91968s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -91859s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -91747s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -91620s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -91515s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -91406s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -91296s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -91186s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -91077s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1199003s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1198869s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1198763s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1198655s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1198547s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1198416s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1198310s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1198194s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1198076s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1197969s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1197834s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1197703s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1197594s >= -30000s
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe TID: 7208 Thread sleep time: -1197484s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 1908 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -99891s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7684 Thread sleep count: 3124 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7684 Thread sleep count: 2303 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -99666s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -99560s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -99343s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -99234s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -99125s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -99010s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -98571s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -98468s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -98358s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -98141s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -97900s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -96313s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -96125s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -95982s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -95859s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -95746s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -95532s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -95311s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -95199s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -95025s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -94783s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -94490s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7716 Thread sleep time: -94359s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7928 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -99075s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -98969s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -98844s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -98734s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -98516s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -98188s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -98063s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -97953s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -97844s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -97719s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -97610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -97485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -97360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -97235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -97110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -96985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -96860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -96735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -96610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -96485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -96360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -96235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -96110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -95985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -95860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -95735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -95610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -95485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -95360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -95235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -95110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -94985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -94860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -94735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -1199938s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -1199813s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -1199688s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -1199578s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 8060 Thread sleep time: -1199469s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 99851 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 98500 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 98390 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 98279 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 98171 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 98062 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 97953 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 97844 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 97697 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 97585 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 97465 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 97359 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 97250 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 97141 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 97031 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 96922 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 96810 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 96703 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 96594 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 96471 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 96344 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 96234 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 96125 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 96015 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 95906 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 95793 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 95672 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 95562 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 95450 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 95344 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 95234 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 93736 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 93579 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 93453 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 93342 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 93204 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 93078 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 92924 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199953 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199843 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199733 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199625 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199516 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199406 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199293 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199176 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1199047 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1198935 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1198625 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1198514 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1198405 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Thread delayed: delay time: 1198278 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 99444
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 99327
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 99094
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 98983
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 98874
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 98762
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 98655
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 98545
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 98020
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 97883
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 97763
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 93725
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 93624
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 93473
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 93344
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 93224
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 93094
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 92983
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 92873
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 92763
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 92647
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 92525
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 92405
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 92297
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 92187
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 92076
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 91968
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 91859
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 91747
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 91620
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 91515
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 91406
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 91296
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 91186
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 91077
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1199003
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198869
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198763
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198655
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198547
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198416
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198310
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198194
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1198076
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1197969
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1197834
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1197703
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1197594
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Thread delayed: delay time: 1197484
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99891
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99666
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99560
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99343
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99234
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99125
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99010
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98797
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98687
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98571
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98468
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98358
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98141
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97900
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96313
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96125
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95982
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95859
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95746
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95532
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95311
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95199
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95025
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94783
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94490
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94359
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99313
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99075
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98969
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98844
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98734
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98625
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98516
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98297
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98188
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98063
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97953
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97844
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97719
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199938
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199813
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199688
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199578
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199469
Source: BjTxJte.exe, 00000011.00000002.2017242278.0000000000E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: BjTxJte.exe, 0000001A.00000002.2897390534.0000000000C29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2899787195.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2897623539.00000000015BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe"
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cplIqbJaku.exe"
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cplIqbJaku.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory written: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cplIqbJaku.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmpFEC6.tmp" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Process created: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe "C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmp1F10.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Process created: C:\Users\user\AppData\Roaming\cplIqbJaku.exe "C:\Users\user\AppData\Roaming\cplIqbJaku.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmp5E3C.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cplIqbJaku" /XML "C:\Users\user\AppData\Local\Temp\tmp8193.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLR^q|
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q3<b>[ Program Manager]</b> (04/05/2024 11:13:22)<br>
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLR^q
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q9<b>[ Program Manager]</b> (05/05/2024 01:35:33)<br>{Win}rTHcq
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q3<b>[ Program Manager]</b> (05/05/2024 01:35:33)<br>
Source: cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q9<b>[ Program Manager]</b> (04/05/2024 11:13:22)<br>{Win}rTHcq0
Source: INVOICE KAD-0138-2024.exe, 00000007.00000002.2903677008.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q8<b>[ Program Manager]</b> (05/05/2024 01:35:33)<br>{Win}THcq
Source: cplIqbJaku.exe, 0000000C.00000002.2902387398.00000000034E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q8<b>[ Program Manager]</b> (04/05/2024 11:13:22)<br>{Win}THcq0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Users\user\AppData\Roaming\cplIqbJaku.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Users\user\AppData\Roaming\cplIqbJaku.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.BjTxJte.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2903677008.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2903042286.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2902387398.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2029916623.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2903042286.00000000028CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1983065671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2903677008.0000000002C6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2902387398.00000000034CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2903042286.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2903677008.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2902387398.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2029916623.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1681204110.000000000376E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INVOICE KAD-0138-2024.exe PID: 7420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INVOICE KAD-0138-2024.exe PID: 7752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cplIqbJaku.exe PID: 8120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 8104, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 8.2.cplIqbJaku.exe.31967f0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.2a07684.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.4ee0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.25f7478.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.25e6800.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.31a7468.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.4ee0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.2a18b6c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.25b35dc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.25f7478.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.31635cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.31a7468.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.25e6800.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.31967f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.28385f4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.33e95c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.2a07684.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.33e85a8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.2a18b6c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.29ff66c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.283960c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.283b624.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.33eb5d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1687511147.0000000004EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1890622267.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1679743209.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1730665096.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1730665096.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1890622267.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1679743209.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\INVOICE KAD-0138-2024.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\cplIqbJaku.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.BjTxJte.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.1983065671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2903042286.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2903677008.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2902387398.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2029916623.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1681204110.000000000376E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INVOICE KAD-0138-2024.exe PID: 7420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INVOICE KAD-0138-2024.exe PID: 7752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cplIqbJaku.exe PID: 8120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 8104, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.BjTxJte.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.38ad678.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.3872458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2903677008.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2903042286.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2902387398.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2029916623.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2903042286.00000000028CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1983065671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2903677008.0000000002C6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2902387398.00000000034CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2903042286.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2903677008.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2902387398.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2029916623.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1681204110.000000000376E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INVOICE KAD-0138-2024.exe PID: 7420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INVOICE KAD-0138-2024.exe PID: 7752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cplIqbJaku.exe PID: 8120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 8104, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 8.2.cplIqbJaku.exe.31967f0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.2a07684.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.4ee0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.25f7478.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.25e6800.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.31a7468.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.4ee0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.2a18b6c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.25b35dc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.25f7478.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.31635cc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.31a7468.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.25e6800.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.31967f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.28385f4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.33e95c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.2a07684.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.33e85a8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.2a18b6c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.29ff66c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.283960c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE KAD-0138-2024.exe.283b624.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.cplIqbJaku.exe.33eb5d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1687511147.0000000004EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1890622267.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1679743209.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1730665096.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1730665096.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1890622267.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1679743209.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436311 Sample: INVOICE KAD-0138-2024.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 61 mail.ipr-co.org 2->61 63 ipr-co.org 2->63 65 api.ipify.org 2->65 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 15 other signatures 2->77 8 INVOICE KAD-0138-2024.exe 7 2->8         started        12 cplIqbJaku.exe 5 2->12         started        14 BjTxJte.exe 2->14         started        16 BjTxJte.exe 2->16         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\cplIqbJaku.exe, PE32 8->57 dropped 59 C:\Users\user\AppData\Local\...\tmpFEC6.tmp, XML 8->59 dropped 93 Adds a directory exclusion to Windows Defender 8->93 18 INVOICE KAD-0138-2024.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        35 2 other processes 8->35 95 Antivirus detection for dropped file 12->95 97 Multi AV Scanner detection for dropped file 12->97 99 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->99 25 cplIqbJaku.exe 12->25         started        27 schtasks.exe 12->27         started        101 Injects a PE file into a foreign processes 14->101 29 BjTxJte.exe 14->29         started        37 4 other processes 14->37 103 Machine Learning detection for dropped file 16->103 31 BjTxJte.exe 16->31         started        33 schtasks.exe 16->33         started        signatures6 process7 dnsIp8 67 ipr-co.org 185.55.225.242, 49731, 49733, 49741 SERVERPARSIR Iran (ISLAMIC Republic Of) 18->67 69 api.ipify.org 172.67.74.152, 443, 49730, 49732 CLOUDFLARENETUS United States 18->69 53 C:\Users\user\AppData\Roaming\...\BjTxJte.exe, PE32 18->53 dropped 55 C:\Users\user\...\BjTxJte.exe:Zone.Identifier, ASCII 18->55 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->79 81 Tries to steal Mail credentials (via file / registry access) 18->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->83 85 Loading BitLocker PowerShell Module 23->85 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        43 conhost.exe 27->43         started        87 Tries to harvest and steal ftp login credentials 29->87 89 Tries to harvest and steal browser information (history, passwords, etc) 29->89 91 Installs a global keyboard hook 29->91 45 conhost.exe 33->45         started        47 conhost.exe 35->47         started        49 conhost.exe 35->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.55.225.242
 ipr-co.org Iran (ISLAMIC Republic Of)
201999 SERVERPARSIR false
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipr-co.org 185.55.225.242 true
api.ipify.org 172.67.74.152 true
mail.ipr-co.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high