Windows Analysis Report
Telco 32pcs New Purchase Order.exe

Overview

General Information

Sample name: Telco 32pcs New Purchase Order.exe
Analysis ID: 1519146
MD5: 8d310f2e831174aac8eaa5eba20e87ad
SHA1: 600ef55976b69523c7973c5d0aeeb91f3fdcf97e
SHA256: 457b6241f125cd8c4f030e7b7f05829b89a5e831f624225cb70ea272ecd88876
Tags: AgentTeslaexeuser-cocaman
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://mail.iaa-airferight.com Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: Telco 32pcs New Purchase Order.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Telco 32pcs New Purchase Order.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Telco 32pcs New Purchase Order.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: Telco 32pcs New Purchase Order.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: yuyGs.pdb source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr
Source: Binary string: yuyGs.pdbSHA256m source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 4x nop then jmp 071DCB88h 0_2_071DD062
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 4x nop then jmp 073EBA20h 11_2_073EBEFA

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 46.175.148.58 46.175.148.58
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.8:49711 -> 46.175.148.58:25
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: mail.iaa-airferight.com
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: zBzzGAdzqF.exe, 0000000F.00000002.2701127043.0000000006B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mG
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.0000000003165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.iaa-airferight.com
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://s2.symcb.com0
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1460082719.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000B.00000002.1511440653.0000000002ECC000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2685915143.0000000000434000.00000040.00000400.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr String found in binary or memory: https://static.wikia.nocookie.net/mitologa/images/a/a3/Imagen_por_defecto.png/revision/latest/thumbn
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, abAX9N.cs .Net Code: BFeixnEv
Source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, abAX9N.cs .Net Code: BFeixnEv
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Telco 32pcs New Purchase Order.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_011FD364 0_2_011FD364
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_050F9700 0_2_050F9700
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_050F001F 0_2_050F001F
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_050F0040 0_2_050F0040
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_050F96F2 0_2_050F96F2
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_056E950B 0_2_056E950B
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_056E9518 0_2_056E9518
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_056EF12B 0_2_056EF12B
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_056EF138 0_2_056EF138
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_056E1998 0_2_056E1998
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D0040 0_2_071D0040
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071DCAA8 0_2_071DCAA8
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D3619 0_2_071D3619
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D83B8 0_2_071D83B8
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D91A0 0_2_071D91A0
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D0006 0_2_071D0006
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D6D10 0_2_071D6D10
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D8C90 0_2_071D8C90
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D8C80 0_2_071D8C80
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D68B8 0_2_071D68B8
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 10_2_011CA968 10_2_011CA968
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 10_2_011C4A98 10_2_011C4A98
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 10_2_011C3E80 10_2_011C3E80
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 10_2_011C41C8 10_2_011C41C8
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 10_2_011CF8A5 10_2_011CF8A5
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_0148D364 11_2_0148D364
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E0040 11_2_073E0040
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073EB940 11_2_073EB940
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E3619 11_2_073E3619
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E83B8 11_2_073E83B8
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E8148 11_2_073E8148
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E91A0 11_2_073E91A0
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E001E 11_2_073E001E
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073EEF30 11_2_073EEF30
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E6D10 11_2_073E6D10
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E8C90 11_2_073E8C90
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E8C80 11_2_073E8C80
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E68A5 11_2_073E68A5
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_08C01998 11_2_08C01998
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_08C0F12B 11_2_08C0F12B
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_08C0F138 11_2_08C0F138
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_08C0950B 11_2_08C0950B
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_08C09518 11_2_08C09518
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_0179A968 15_2_0179A968
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_01794A98 15_2_01794A98
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_01793E80 15_2_01793E80
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_017941C8 15_2_017941C8
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_0179F8A5 15_2_0179F8A5
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_05D55D30 15_2_05D55D30
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_05D591F0 15_2_05D591F0
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_05D5A140 15_2_05D5A140
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_05D5E0C8 15_2_05D5E0C8
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_05D545A0 15_2_05D545A0
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_05D53578 15_2_05D53578
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_05D53CA0 15_2_05D53CA0
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_05D55650 15_2_05D55650
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_05D5C618 15_2_05D5C618
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_05D50338 15_2_05D50338
PE / OLE file has an invalid certificate
Source: Telco 32pcs New Purchase Order.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000000.1434374405.0000000000772000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameyuyGs.exe: vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1483913264.0000000008D7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1482724477.00000000071E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1460082719.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1458787818.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2686390719.0000000000D59000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe Binary or memory string: OriginalFilenameyuyGs.exe: vs Telco 32pcs New Purchase Order.exe
Uses 32bit PE files
Source: Telco 32pcs New Purchase Order.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Telco 32pcs New Purchase Order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: zBzzGAdzqF.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, RsYAkkzVoy.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, Kqqzixk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, xROdzGigX.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, ywes.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, iPVW0zV.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, 1Pi9sgbHwoV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, YUgDfWK2g4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, YUgDfWK2g4.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, MarWtcu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, MarWtcu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, MarWtcu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, MarWtcu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qu4eVoHSPo9ejA6esY.cs Security API names: _0020.SetAccessControl
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qu4eVoHSPo9ejA6esY.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qu4eVoHSPo9ejA6esY.cs Security API names: _0020.AddAccessRule
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, IPKqHFaHGVDOvQLAAk.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qu4eVoHSPo9ejA6esY.cs Security API names: _0020.SetAccessControl
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qu4eVoHSPo9ejA6esY.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qu4eVoHSPo9ejA6esY.cs Security API names: _0020.AddAccessRule
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, IPKqHFaHGVDOvQLAAk.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/2
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe File created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe File created: C:\Users\user\AppData\Local\Temp\tmp4878.tmp Jump to behavior
Source: Telco 32pcs New Purchase Order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Telco 32pcs New Purchase Order.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Telco 32pcs New Purchase Order.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe File read: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Telco 32pcs New Purchase Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Telco 32pcs New Purchase Order.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Telco 32pcs New Purchase Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: yuyGs.pdb source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr
Source: Binary string: yuyGs.pdbSHA256m source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Telco 32pcs New Purchase Order.exe, Home.cs .Net Code: InitializeComponent
Source: zBzzGAdzqF.exe.0.dr, Home.cs .Net Code: InitializeComponent
Source: 0.2.Telco 32pcs New Purchase Order.exe.2bcdf8c.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Telco 32pcs New Purchase Order.exe.6da0000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Telco 32pcs New Purchase Order.exe.2b6dc80.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qu4eVoHSPo9ejA6esY.cs .Net Code: iIlL85sgd2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qu4eVoHSPo9ejA6esY.cs .Net Code: iIlL85sgd2 System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Telco 32pcs New Purchase Order.exe Static PE information: 0xBA8721D6 [Sat Mar 2 02:49:58 2069 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071DD732 pushfd ; ret 0_2_071DD764
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071DD788 pushfd ; ret 0_2_071DD7A4
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071DD7D6 pushfd ; ret 0_2_071DD7E4
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071DC471 pushfd ; ret 0_2_071DC472
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D24CC pushfd ; ret 0_2_071D24CD
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071DB3E9 pushfd ; ret 0_2_071DB3F1
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D5040 pushfd ; ret 0_2_071D5041
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D2E6E pushfd ; ret 0_2_071D2E6F
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D4D6F pushfd ; ret 0_2_071D4D8C
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D9CC3 pushfd ; ret 0_2_071D9CC4
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071D4A29 pushad ; retf 0_2_071D4A35
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 0_2_071DD891 pushfd ; ret 0_2_071DD8AC
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Code function: 10_2_011C0C45 push ebx; retf 10_2_011C0C52
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073EC620 pushfd ; ret 11_2_073EC63C
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073EC66E pushfd ; ret 11_2_073EC67C
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073EA518 pushfd ; ret 11_2_073EA534
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073EC5DA pushfd ; ret 11_2_073EC5FC
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073EA5C1 pushfd ; ret 11_2_073EA5C9
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E24CC pushfd ; ret 11_2_073E24CD
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073EB309 pushfd ; ret 11_2_073EB30A
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073EB2B3 pushfd ; ret 11_2_073EB2B4
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E5040 pushfd ; ret 11_2_073E5041
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E2E6E pushfd ; ret 11_2_073E2E6F
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E4D6F pushfd ; ret 11_2_073E4D8C
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E5DB2 pushfd ; ret 11_2_073E5DC6
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E9CC3 pushfd ; ret 11_2_073E9CC4
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 11_2_073E4A29 pushad ; retf 11_2_073E4A35
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_01790C45 push ebx; retf 15_2_01790C52
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Code function: 15_2_0179DCA0 push esp; iretd 15_2_0179DD29
Source: Telco 32pcs New Purchase Order.exe Static PE information: section name: .text entropy: 7.800984886920725
Source: zBzzGAdzqF.exe.0.dr Static PE information: section name: .text entropy: 7.800984886920725
Source: 0.2.Telco 32pcs New Purchase Order.exe.2bcdf8c.0.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Telco 32pcs New Purchase Order.exe.2bcdf8c.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Telco 32pcs New Purchase Order.exe.6da0000.5.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Telco 32pcs New Purchase Order.exe.6da0000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Telco 32pcs New Purchase Order.exe.2b6dc80.1.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Telco 32pcs New Purchase Order.exe.2b6dc80.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, wKEY3HJo8eDVRJWVro.cs High entropy of concatenated method names: 'sqDQGHh96y', 'AgAQEv1riQ', 'Fg1QJJBr6R', 'I1wQSRnwnx', 'vIeQwNK6Rq', 'BGOQjZUIjV', 'wvgQ3QfWU5', 'VtPQ4RYbh2', 'lyLQyNGwsr', 'ajHQqn1Ng0'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, w3Un50OCHhr6XKPgVv.cs High entropy of concatenated method names: 'RYCrUTgMSO', 'kQorbaib6b', 'IEdR5YSe1q', 'PFSRcXEnj1', 'uPqrdx7Xkp', 'Wi6rEyPbgM', 'VoLrZD6RB9', 'dD7rJGZpTT', 'LKmrSHsKFR', 'eJVrt2tHI4'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, pfqRELt3v9bOXMqgPx.cs High entropy of concatenated method names: 'ToString', 'yvehdb2t9t', 'NQehwkDNPt', 'vNahjGrn0B', 'zDnh3DYCMD', 'weFh4Ejuli', 'vuohyoIpHQ', 'TcOhqv04Zo', 'tPNhYAfG6g', 'o2xhTYIURs'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, AwjlnHTFEX7SG8ODN5.cs High entropy of concatenated method names: 'hy00FxSK3A', 'ALr0lyMuec', 'iLE08TC0iR', 'FT00oF8KFL', 'vlr02teTAH', 'HUy0VVi8jv', 'Wwo0uTJLZY', 'nJB0avBUnP', 'olQ0XjQ0TG', 'GyN0ABaMdL'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, fyDZ3Q6uBXD3CjoIfe.cs High entropy of concatenated method names: 'Dispose', 'qAxcCZdVv3', 'XBWnwVY2lN', 'Pe9YYBBw6U', 'PRjcbfEKjm', 'pJPczup5ZA', 'ProcessDialogKey', 'FBnn5M11V2', 'K3CncqNxJ4', 'gslnnW9WDD'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, v04S8qXUOtWGnng4FZ.cs High entropy of concatenated method names: 'cYavouRehn', 'ksNvVPg00u', 'HJWvalwSPx', 'nZSvXHQ0mo', 'cU7vQjopVc', 'SR9vhPYicQ', 'jUHvrRRrtD', 'RJivRYlFin', 'uZyvkvXhi0', 'zXNvMvuihd'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, NvUCdtLRiH35Z1HHQn.cs High entropy of concatenated method names: 'K83c0PKqHF', 'kGVcHDOvQL', 'LUOcWtWGnn', 'm4FcgZ8MJp', 'iawcQx7K0I', 'wdachtbGSN', 'Ch8D1whNuPg31uyFJg', 'YroQCR9w2iwP4MyTq2', 'HSDccBA0NU', 'fpPcP1HwW2'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, zMJpQBApxlWy5eawx7.cs High entropy of concatenated method names: 'kMlx2KBJ7U', 'N6sxulRfT7', 'BI0vjhtSKK', 'L1Mv3bOtIS', 'FYkv4oD6xq', 'bSovyLeSu7', 'nc6vqhWF65', 'CuAvYJelIn', 'CF4vTaxdXC', 'm9CvG7pkcO'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, m9WDDAbdckgRSPLQdj.cs High entropy of concatenated method names: 'orpkcoAta9', 'cwvkPdPa9X', 'XbNkLcJZI9', 'EHdki4HJWD', 'gWBk6sdHLm', 'T1QkxT79yj', 'oDXkehUsxs', 'DEJR1Ie2s7', 'DKoRUxGHO3', 'F8pRCefm26'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, mUIQHtc5PiMLIOqOQrb.cs High entropy of concatenated method names: 'FAkkFxn8sH', 'HEFkljUHex', 'OjLk87EBb7', 'ox8kok0K4N', 'N5mk2P8Cqi', 'P7qkVymBuM', 'CawkuJWeYj', 'KGAkauav3Y', 'PbFkXix04G', 'KhkkASEoFQ'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qjfEKjUmhJPup5ZABB.cs High entropy of concatenated method names: 'SBhRiR8ln7', 'qPKR6YtsRd', 'oMORv0EDq6', 'vyTRxnX0X7', 'f14ReZWIe1', 'yXtR0gH05s', 'EhvRHkCaMg', 'fQaR7AtcnI', 'LAdRWgWshs', 'WXBRggvbQv'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qu4eVoHSPo9ejA6esY.cs High entropy of concatenated method names: 'DZrPIKLoAd', 'bZDPiLaV2C', 'b4aP6Q6EaY', 'CrmPvYf3LV', 'PAJPxbt4mA', 'oQKPeWFc5c', 'kClP0yR2mh', 'OHMPHWy8b7', 'PeuP7rGAdx', 'TYsPWgqv4k'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, PD4QmDnXLZawl4rABn.cs High entropy of concatenated method names: 'zXF8f58L4', 't1Zoj5So2', 'qgxVRGBG6', 'IyBufDp2t', 'QowXlVPrY', 'FN9AftdVN', 'ooDhP5fR42yJe6YWK0', 'pfQm6CVwaQ6XprVAL5', 'qf0RTAdFl', 'XmkMpM5GF'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, cdF0WJqmBirGmsrC9U.cs High entropy of concatenated method names: 'CEA0iQvX6D', 'tsg0vunrjL', 'SGS0eZ9ebn', 'pamebo8vG2', 'DcgezFMRP2', 'mon0569LDC', 'cKP0cCmnTN', 'Swu0nF7nXL', 'IsA0P69y81', 'TQ40LxNEXd'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, kVBCLKccNDI6UpiebDC.cs High entropy of concatenated method names: 'ToString', 'ALWMPwDmCl', 'WnSMLIdYYd', 'r2AMIgRLAl', 'UaNMi1hf6c', 'yecM6WVgdF', 'VeGMvSIGDu', 'KUiMxwEDkT', 'OY4V8soRXljAc6TIZDg', 'fC8EL0oU2mD6oShue5e'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, K11YPaZenX8Q04FESS.cs High entropy of concatenated method names: 'FyWfa97HKd', 'j2MfXKFyP8', 'tFPfBWSfC8', 'MYXfw7NqwV', 'ldEf3KdFXi', 'yYif4cbsdw', 'drjfqvjYRp', 'v1mfYKTv6M', 'gxqfGMCyFV', 'DL6fdyGmsW'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, IPKqHFaHGVDOvQLAAk.cs High entropy of concatenated method names: 'HnQ6JWKUHJ', 'a1V6Soepat', 'cJe6tlpCfh', 'g1u6msnTg3', 'EF06pxQAPB', 'HTa6OBmIlQ', 'f6061O8oAr', 'G806Uk5tlb', 'uPt6Cea6Nj', 'fTu6b3J0ex'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, v0I9daBtbGSNNIQqY8.cs High entropy of concatenated method names: 'jWZeIhpB5i', 'uYKe6pWusq', 'xDEexSSueb', 'oVZe0LBNTB', 'nPHeHXiFAA', 'w3HxpsP8cf', 'sexxOga7gR', 'uCcx1JvrKF', 'Sr6xUp8SG3', 'w4axCObIC7'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, BkgHkYcPAiFTFYL9rDK.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YOyMJWMFgD', 'RgSMSvvR5h', 'WDJMtPpHPV', 'u9NMmAg7hB', 'vyyMpUK59E', 'CAKMOI9TkG', 'xmoM1ouMnq'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, L37xIBvcOVeeN7nJgi.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bvdnCw79gs', 'l8hnbkI0pE', 'OMMnzrNTx1', 'KUYP5R1Qsw', 'KA3PcFQvuV', 'tq9PnVBWqf', 'XqqPPJe71U', 'R9bsZ92nZYfeK0FCVpO'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, bM11V2Cy3CqNxJ46sl.cs High entropy of concatenated method names: 'W1oRB7WTse', 'qfARwnvqhU', 'GwFRjbX0mZ', 'tbJR3WaC5H', 'O0RRJfy9lu', 'ED8R4cS1rI', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, wKEY3HJo8eDVRJWVro.cs High entropy of concatenated method names: 'sqDQGHh96y', 'AgAQEv1riQ', 'Fg1QJJBr6R', 'I1wQSRnwnx', 'vIeQwNK6Rq', 'BGOQjZUIjV', 'wvgQ3QfWU5', 'VtPQ4RYbh2', 'lyLQyNGwsr', 'ajHQqn1Ng0'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, w3Un50OCHhr6XKPgVv.cs High entropy of concatenated method names: 'RYCrUTgMSO', 'kQorbaib6b', 'IEdR5YSe1q', 'PFSRcXEnj1', 'uPqrdx7Xkp', 'Wi6rEyPbgM', 'VoLrZD6RB9', 'dD7rJGZpTT', 'LKmrSHsKFR', 'eJVrt2tHI4'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, pfqRELt3v9bOXMqgPx.cs High entropy of concatenated method names: 'ToString', 'yvehdb2t9t', 'NQehwkDNPt', 'vNahjGrn0B', 'zDnh3DYCMD', 'weFh4Ejuli', 'vuohyoIpHQ', 'TcOhqv04Zo', 'tPNhYAfG6g', 'o2xhTYIURs'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, AwjlnHTFEX7SG8ODN5.cs High entropy of concatenated method names: 'hy00FxSK3A', 'ALr0lyMuec', 'iLE08TC0iR', 'FT00oF8KFL', 'vlr02teTAH', 'HUy0VVi8jv', 'Wwo0uTJLZY', 'nJB0avBUnP', 'olQ0XjQ0TG', 'GyN0ABaMdL'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, fyDZ3Q6uBXD3CjoIfe.cs High entropy of concatenated method names: 'Dispose', 'qAxcCZdVv3', 'XBWnwVY2lN', 'Pe9YYBBw6U', 'PRjcbfEKjm', 'pJPczup5ZA', 'ProcessDialogKey', 'FBnn5M11V2', 'K3CncqNxJ4', 'gslnnW9WDD'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, v04S8qXUOtWGnng4FZ.cs High entropy of concatenated method names: 'cYavouRehn', 'ksNvVPg00u', 'HJWvalwSPx', 'nZSvXHQ0mo', 'cU7vQjopVc', 'SR9vhPYicQ', 'jUHvrRRrtD', 'RJivRYlFin', 'uZyvkvXhi0', 'zXNvMvuihd'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, NvUCdtLRiH35Z1HHQn.cs High entropy of concatenated method names: 'K83c0PKqHF', 'kGVcHDOvQL', 'LUOcWtWGnn', 'm4FcgZ8MJp', 'iawcQx7K0I', 'wdachtbGSN', 'Ch8D1whNuPg31uyFJg', 'YroQCR9w2iwP4MyTq2', 'HSDccBA0NU', 'fpPcP1HwW2'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, zMJpQBApxlWy5eawx7.cs High entropy of concatenated method names: 'kMlx2KBJ7U', 'N6sxulRfT7', 'BI0vjhtSKK', 'L1Mv3bOtIS', 'FYkv4oD6xq', 'bSovyLeSu7', 'nc6vqhWF65', 'CuAvYJelIn', 'CF4vTaxdXC', 'm9CvG7pkcO'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, m9WDDAbdckgRSPLQdj.cs High entropy of concatenated method names: 'orpkcoAta9', 'cwvkPdPa9X', 'XbNkLcJZI9', 'EHdki4HJWD', 'gWBk6sdHLm', 'T1QkxT79yj', 'oDXkehUsxs', 'DEJR1Ie2s7', 'DKoRUxGHO3', 'F8pRCefm26'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, mUIQHtc5PiMLIOqOQrb.cs High entropy of concatenated method names: 'FAkkFxn8sH', 'HEFkljUHex', 'OjLk87EBb7', 'ox8kok0K4N', 'N5mk2P8Cqi', 'P7qkVymBuM', 'CawkuJWeYj', 'KGAkauav3Y', 'PbFkXix04G', 'KhkkASEoFQ'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qjfEKjUmhJPup5ZABB.cs High entropy of concatenated method names: 'SBhRiR8ln7', 'qPKR6YtsRd', 'oMORv0EDq6', 'vyTRxnX0X7', 'f14ReZWIe1', 'yXtR0gH05s', 'EhvRHkCaMg', 'fQaR7AtcnI', 'LAdRWgWshs', 'WXBRggvbQv'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qu4eVoHSPo9ejA6esY.cs High entropy of concatenated method names: 'DZrPIKLoAd', 'bZDPiLaV2C', 'b4aP6Q6EaY', 'CrmPvYf3LV', 'PAJPxbt4mA', 'oQKPeWFc5c', 'kClP0yR2mh', 'OHMPHWy8b7', 'PeuP7rGAdx', 'TYsPWgqv4k'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, PD4QmDnXLZawl4rABn.cs High entropy of concatenated method names: 'zXF8f58L4', 't1Zoj5So2', 'qgxVRGBG6', 'IyBufDp2t', 'QowXlVPrY', 'FN9AftdVN', 'ooDhP5fR42yJe6YWK0', 'pfQm6CVwaQ6XprVAL5', 'qf0RTAdFl', 'XmkMpM5GF'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, cdF0WJqmBirGmsrC9U.cs High entropy of concatenated method names: 'CEA0iQvX6D', 'tsg0vunrjL', 'SGS0eZ9ebn', 'pamebo8vG2', 'DcgezFMRP2', 'mon0569LDC', 'cKP0cCmnTN', 'Swu0nF7nXL', 'IsA0P69y81', 'TQ40LxNEXd'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, kVBCLKccNDI6UpiebDC.cs High entropy of concatenated method names: 'ToString', 'ALWMPwDmCl', 'WnSMLIdYYd', 'r2AMIgRLAl', 'UaNMi1hf6c', 'yecM6WVgdF', 'VeGMvSIGDu', 'KUiMxwEDkT', 'OY4V8soRXljAc6TIZDg', 'fC8EL0oU2mD6oShue5e'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, K11YPaZenX8Q04FESS.cs High entropy of concatenated method names: 'FyWfa97HKd', 'j2MfXKFyP8', 'tFPfBWSfC8', 'MYXfw7NqwV', 'ldEf3KdFXi', 'yYif4cbsdw', 'drjfqvjYRp', 'v1mfYKTv6M', 'gxqfGMCyFV', 'DL6fdyGmsW'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, IPKqHFaHGVDOvQLAAk.cs High entropy of concatenated method names: 'HnQ6JWKUHJ', 'a1V6Soepat', 'cJe6tlpCfh', 'g1u6msnTg3', 'EF06pxQAPB', 'HTa6OBmIlQ', 'f6061O8oAr', 'G806Uk5tlb', 'uPt6Cea6Nj', 'fTu6b3J0ex'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, v0I9daBtbGSNNIQqY8.cs High entropy of concatenated method names: 'jWZeIhpB5i', 'uYKe6pWusq', 'xDEexSSueb', 'oVZe0LBNTB', 'nPHeHXiFAA', 'w3HxpsP8cf', 'sexxOga7gR', 'uCcx1JvrKF', 'Sr6xUp8SG3', 'w4axCObIC7'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, BkgHkYcPAiFTFYL9rDK.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YOyMJWMFgD', 'RgSMSvvR5h', 'WDJMtPpHPV', 'u9NMmAg7hB', 'vyyMpUK59E', 'CAKMOI9TkG', 'xmoM1ouMnq'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, L37xIBvcOVeeN7nJgi.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bvdnCw79gs', 'l8hnbkI0pE', 'OMMnzrNTx1', 'KUYP5R1Qsw', 'KA3PcFQvuV', 'tq9PnVBWqf', 'XqqPPJe71U', 'R9bsZ92nZYfeK0FCVpO'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, bM11V2Cy3CqNxJ46sl.cs High entropy of concatenated method names: 'W1oRB7WTse', 'qfARwnvqhU', 'GwFRjbX0mZ', 'tbJR3WaC5H', 'O0RRJfy9lu', 'ED8R4cS1rI', 'Next', 'Next', 'Next', 'NextBytes'
Drops PE files
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe File created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (129).png
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: zBzzGAdzqF.exe PID: 2768, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: 11F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: 2B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: 4B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: 8FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: 9FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: A1F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: B1F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: 11C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: 2B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: 4C90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory allocated: 1460000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory allocated: 2E80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory allocated: 4E80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory allocated: 8DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory allocated: 9DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory allocated: 9FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory allocated: AFE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory allocated: 1740000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory allocated: 30F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory allocated: 50F0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4547 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5859 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 577 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Window / User API: threadDelayed 3543 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Window / User API: threadDelayed 6300 Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Window / User API: threadDelayed 3693
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Window / User API: threadDelayed 6144
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2252 Thread sleep count: 4547 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2212 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4352 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5692 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7340 Thread sleep count: 3543 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7340 Thread sleep count: 6300 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -99780s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -99671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -99562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -99343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -99234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -99125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -99015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -98906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -98791s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -98687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -98578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -98465s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -98359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -98140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -98031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -97922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -97812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -97703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -97594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -97479s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -97374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -97265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -97155s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -97047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -96937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -96828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -96719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -96609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -96457s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -96156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -96046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -95937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -95823s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -95717s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -95609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -95500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -95388s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -95281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -95171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -95049s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -94922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -94812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -94703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -94594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -94484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -94375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328 Thread sleep time: -94265s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7336 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7632 Thread sleep count: 3693 > 30
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -99585s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7632 Thread sleep count: 6144 > 30
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -99469s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -99340s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -99226s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -99125s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -99013s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -98904s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -98795s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -98688s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -98344s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -97860s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -97735s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -97610s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -97485s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -97360s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -97235s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -97110s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -96969s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -96710s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -96548s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -96304s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -96191s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -96063s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -95953s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -95844s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -95734s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -95625s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -95516s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -95406s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -95297s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -95188s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -95063s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -94938s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -94813s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -94703s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -94594s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -94469s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -94360s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -94235s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -94110s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -93985s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -93813s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -93693s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -93563s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604 Thread sleep time: -93174s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 99780 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 99671 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 99343 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 99125 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 99015 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 98906 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 98791 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 98687 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 98578 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 98465 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 98359 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 98140 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 98031 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 97922 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 97703 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 97594 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 97479 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 97374 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 97265 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 97155 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 97047 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 96937 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 96828 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 96719 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 96609 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 96457 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 96156 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 96046 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 95937 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 95823 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 95717 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 95609 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 95500 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 95388 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 95281 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 95171 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 95049 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 94922 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 94812 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 94703 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 94594 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 94484 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 94375 Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Thread delayed: delay time: 94265 Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 99585
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 99469
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 99340
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 99226
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 99125
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 99013
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 98904
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 98795
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 98688
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 98344
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 97860
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 97735
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 97610
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 97485
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 97360
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 97235
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 97110
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 96969
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 96710
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 96548
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 96304
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 96191
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 96063
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 95953
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 95844
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 95734
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 95625
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 95516
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 95406
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 95297
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 95188
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 95063
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 94938
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 94813
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 94703
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 94594
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 94469
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 94360
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 94235
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 94110
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 93985
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 93813
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 93693
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 93563
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Thread delayed: delay time: 93174
Source: zBzzGAdzqF.exe, 0000000B.00000002.1508467194.00000000011A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m=dE
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2687529054.000000000117E000.00000004.00000020.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2687516605.000000000149F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: zBzzGAdzqF.exe, 0000000B.00000002.1508467194.00000000011A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Memory written: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Memory written: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Process created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2689631627.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2689533130.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2689631627.0000000003165000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2689533130.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zBzzGAdzqF.exe PID: 7500, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2689631627.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2689533130.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zBzzGAdzqF.exe PID: 7500, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2689631627.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2689533130.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2689631627.0000000003165000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2689533130.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zBzzGAdzqF.exe PID: 7500, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519146 Sample: Telco 32pcs New Purchase Or... Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 48 api.ipify.org 2->48 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 15 other signatures 2->60 8 Telco 32pcs New Purchase Order.exe 7 2->8         started        12 zBzzGAdzqF.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\zBzzGAdzqF.exe, PE32 8->38 dropped 40 C:\Users\...\zBzzGAdzqF.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp4878.tmp, XML 8->42 dropped 44 C:\...\Telco 32pcs New Purchase Order.exe.log, ASCII 8->44 dropped 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 14 Telco 32pcs New Purchase Order.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 66 Multi AV Scanner detection for dropped file 12->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->68 70 Machine Learning detection for dropped file 12->70 22 zBzzGAdzqF.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 50 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->50 52 api.ipify.org 104.26.12.205, 443, 49709, 49712 CLOUDFLARENETUS United States 14->52 72 Installs a global keyboard hook 14->72 74 Loading BitLocker PowerShell Module 18->74 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->76 78 Tries to steal Mail credentials (via file / registry access) 22->78 80 Tries to harvest and steal ftp login credentials 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
46.175.148.58
 mail.iaa-airferight.com Ukraine
56394 ASLAGIDKOM-NETUA true

Contacted Domains

Name IP Active
mail.iaa-airferight.com 46.175.148.58 true
api.ipify.org 104.26.12.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown