Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SIP_20252701095738583757327401213.bat.exe

Overview

General Information

Sample name:SIP_20252701095738583757327401213.bat.exe
Analysis ID:1634988
MD5:9182b0dd46fcfb344d576fbd13b81538
SHA1:f10c41ce064b119d599ab7cfb306eff801adaa33
SHA256:b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85
Tags:exeuser-lowmal3
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SIP_20252701095738583757327401213.bat.exe (PID: 1964 cmdline: "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe" MD5: 9182B0DD46FCFB344D576FBD13B81538)
    • powershell.exe (PID: 7308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7896 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "sungnova2@surewaz.com", "Password": "hB~14J!UqCMO", "Server": "surewaz.com", "To": "sungnova@surewaz.com", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefdf:$a1: get_encryptedPassword
          • 0xf307:$a2: get_encryptedUsername
          • 0xed7a:$a3: get_timePasswordChanged
          • 0xee9b:$a4: get_passwordField
          • 0xeff5:$a5: set_encryptedPassword
          • 0x10951:$a7: get_logins
          • 0x10602:$a8: GetOutlookPasswords
          • 0x103f4:$a9: StartKeylogger
          • 0x108a1:$a10: KeyLoggerEventArgs
          • 0x10451:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1df:$a1: get_encryptedPassword
                  • 0xf507:$a2: get_encryptedUsername
                  • 0xef7a:$a3: get_timePasswordChanged
                  • 0xf09b:$a4: get_passwordField
                  • 0xf1f5:$a5: set_encryptedPassword
                  • 0x10b51:$a7: get_logins
                  • 0x10802:$a8: GetOutlookPasswords
                  • 0x105f4:$a9: StartKeylogger
                  • 0x10aa1:$a10: KeyLoggerEventArgs
                  • 0x10651:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 23 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", ParentImage: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe, ParentProcessId: 1964, ParentProcessName: SIP_20252701095738583757327401213.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", ProcessId: 7308, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", ParentImage: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe, ParentProcessId: 1964, ParentProcessName: SIP_20252701095738583757327401213.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", ProcessId: 7308, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", ParentImage: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe, ParentProcessId: 1964, ParentProcessName: SIP_20252701095738583757327401213.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe", ProcessId: 7308, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-11T08:54:06.437892+010028032742Potentially Bad Traffic192.168.2.649696193.122.6.16880TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "sungnova2@surewaz.com", "Password": "hB~14J!UqCMO", "Server": "surewaz.com", "To": "sungnova@surewaz.com", "Port": 587}
                  Multi AV Scanner detection for submitted file
                  Source: SIP_20252701095738583757327401213.bat.exeReversingLabs: Detection: 31%
                  Source: SIP_20252701095738583757327401213.bat.exeVirustotal: Detection: 37%Perma Link
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.9% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49698 version: TLS 1.0
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: fOXZ.pdbSHA256>MOu source: SIP_20252701095738583757327401213.bat.exe
                  Source: Binary string: fOXZ.pdb source: SIP_20252701095738583757327401213.bat.exe
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 4x nop then jmp 01539731h6_2_01539480
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 4x nop then jmp 01539E5Ah6_2_01539A40
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 4x nop then jmp 01539E5Ah6_2_01539A30
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 4x nop then jmp 01539E5Ah6_2_01539D87
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                  Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                  Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49696 -> 193.122.6.168:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49698 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: SIP_20252701095738583757327401213.bat.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: SIP_20252701095738583757327401213.bat.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                  Source: SIP_20252701095738583757327401213.bat.exeString found in binary or memory: http://ocsp.comodoca.com0
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1266324152.0000000002470000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: SIP_20252701095738583757327401213.bat.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 1964, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 7332, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 0_2_02283E340_2_02283E34
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 0_2_02286F900_2_02286F90
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 0_2_0228D6440_2_0228D644
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 0_2_0B3D14300_2_0B3D1430
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 6_2_0153C5306_2_0153C530
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 6_2_015394806_2_01539480
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 6_2_015319B86_2_015319B8
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 6_2_0153C49F6_2_0153C49F
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 6_2_01532DD16_2_01532DD1
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 6_2_0153946F6_2_0153946F
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: invalid certificate
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1271952099.0000000004CB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000000.1197463138.0000000000102000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefOXZ.exe0 vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1264300697.00000000005BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1273477681.0000000006AA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1266324152.0000000002470000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1266324152.0000000002470000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2451455432.0000000001177000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2451051118.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exeBinary or memory string: OriginalFilenamefOXZ.exe0 vs SIP_20252701095738583757327401213.bat.exe
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 1964, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 7332, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, C0v2gSYfebBXrSIvND.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, C0v2gSYfebBXrSIvND.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, C0v2gSYfebBXrSIvND.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, C0v2gSYfebBXrSIvND.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, C0v2gSYfebBXrSIvND.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, C0v2gSYfebBXrSIvND.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, l8I7QaDcXk2PYsIoYp.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, l8I7QaDcXk2PYsIoYp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, l8I7QaDcXk2PYsIoYp.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, l8I7QaDcXk2PYsIoYp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/6@2/2
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SIP_20252701095738583757327401213.bat.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_30haz1jj.5y3.ps1Jump to behavior
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SIP_20252701095738583757327401213.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2454841273.000000000415D000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.0000000003241000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.000000000324E000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.000000000322D000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.000000000321E000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.000000000320F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: SIP_20252701095738583757327401213.bat.exeReversingLabs: Detection: 31%
                  Source: SIP_20252701095738583757327401213.bat.exeVirustotal: Detection: 37%
                  Source: unknownProcess created: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: fOXZ.pdbSHA256>MOu source: SIP_20252701095738583757327401213.bat.exe
                  Source: Binary string: fOXZ.pdb source: SIP_20252701095738583757327401213.bat.exe

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: SIP_20252701095738583757327401213.bat.exe, LoginForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, C0v2gSYfebBXrSIvND.cs.Net Code: DLjAFmy9fe System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, C0v2gSYfebBXrSIvND.cs.Net Code: DLjAFmy9fe System.Reflection.Assembly.Load(byte[])
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: 0xD360E883 [Mon May 18 15:25:55 2082 UTC]
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeCode function: 0_2_0228E758 pushad ; retf 0_2_0228E759
                  Source: SIP_20252701095738583757327401213.bat.exeStatic PE information: section name: .text entropy: 7.781630403619485
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, gp9e8nuurPapEMh55ef.csHigh entropy of concatenated method names: 'CZub0lVavd', 'Lq8bz9JCtJ', 'DGtOv0UAl5', 'RDEOuPMJIS', 'bDOOh4GZWB', 'd4IOMNcKuE', 'lhhOA35Aus', 'ffvOU2WCmd', 'KJ9O7lBgfF', 'kNhOxVaJ3T'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, SaoQMVga0dKmqCmBUR.csHigh entropy of concatenated method names: 'DKOcm7sdF5', 'nlycJhlLwT', 'LjVcDmSdta', 'aA5cgWQJP1', 'OnKcEE1U39', 'A7ycSxeUvj', 'wOCcIKWjWV', 'dLZceWZguS', 'YEQcHImwvA', 'ucgcbnpYkD'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, YS9xHGajdZDpHY6vxG.csHigh entropy of concatenated method names: 'g4XEXHjeI8', 'alPE4iyNwm', 'XcUEaCEIJb', 'omEE2Dew9H', 'mtjEBtaxUS', 'EQYE66vQBV', 'DJmEpui7W5', 'BMuEyykcDv', 'vrIENyvX07', 'GjiEfThyD6'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, cEjiH4AkU4FRKdjpu9.csHigh entropy of concatenated method names: 'MuiuC8I7Qa', 'gXkuY2PYsI', 'ma0usdKmqC', 'ABUuVRtBum', 'jOsuEYlubY', 'kxFuSSErdu', 'EXGA2L9FO63Rf1DElX', 'B6YGfSrgw8xHfYSoG3', 'FIpuu7gKVt', 'YbnuM2HvM2'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, WnZmKV0mcDiJCxdulQ.csHigh entropy of concatenated method names: 'L85bc51HGp', 'OfybZmE5ex', 'yV4b9LU7fQ', 'LCPbCkBTtY', 'FW2bHrbi71', 'OydbYakoso', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, SqGbmHuAlvtiiBPP0Ki.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FYHlHTZqfo', 'vEFlbPpWtq', 'fMJlO7YCfj', 'KQ9llFSglD', 'l5LlwwZuvP', 'gjZlqXXFWG', 'uAql8sTvVy'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, NKvZieN2X0WbeJmkQa.csHigh entropy of concatenated method names: 'oae9jp5D1J', 'KQG9QXHv9Z', 'r8A9GUCDfV', 'ToString', 'jjx9KMhUHB', 'G5q9RtYH6H', 'obWvyICnpDwkN4OAjVy', 'psUMfYCaqo4DvMDcXX9', 'D6mlebCbfj07qy06LYh'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, ojy3lVuhXRFfXlUQUAp.csHigh entropy of concatenated method names: 'ToString', 'zsoODcRQS4', 'ULuOgnMvki', 'GbdOLoSy9T', 't9HO3RDUam', 'vatOBsLbKG', 'GuGO6pve13', 'USwOp8G7Yy', 'OnE6A1sQolr8yvTvSmJ', 'fwFwo9sW6j5dEP0he6Z'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, hphorVBVdgDdMyUfcY.csHigh entropy of concatenated method names: 'LcO3rwCvoULIt6LVBsw', 'XmDMs4CD5KXeRhoC0Ji', 'Ybr9eYAOPJ', 'v7Z9HWbkY2', 'oDH9bqH1YE', 'tkEY7uCXfwpkwKWdmuV', 'aOToiACjyDWxOjcZ4dv'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, pluHpQhoVyGOkcwkDA.csHigh entropy of concatenated method names: 'JXfF7QF1Y', 'HJ2mTIThI', 'd9hJ7bBdG', 'ITodUxTL4', 'O4Ag78upU', 'EfLL8iJqH', 'M4lVNleP8fBKvME5QG', 'GlcELnxEo50ruZAmUd', 'kWVeRBox0', 'UOPbbkGkx'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, JqM2EtcTMZICegRNmI.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PrOh5njGPK', 'yUYh0TDZUb', 'tdOhzRj9xT', 'e2NMv28yFd', 'GDAMuZ3aKI', 'x0aMhTSfbj', 'wwcMM7qX8O', 'KRYBvxWSd6csPKNHfHi'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, P1sRiJjtmA026wQ8o5.csHigh entropy of concatenated method names: 'ToString', 'nPxS1n2xWT', 'VONSBkoTgK', 'GlcS6pibnk', 'jiySpSNmcE', 'FSXSyM2Rbv', 'UxySNxYaZU', 'OQTSfdR2pG', 'YlaSo29IoA', 'HLlSth9K5k'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, Obv90fQXEGtsvP0qgn.csHigh entropy of concatenated method names: 'UYuIsKA9go', 'HRgIV8ybXm', 'ToString', 'zmBI7RUaeT', 'AmfIxweHV1', 'RNsIcm7H2g', 'k2bIZwMpgW', 'ssfI9urFnh', 'SxwIChNlZZ', 'VniIYS9mtO'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, YkMb9uWWdZ2Z9Y2Fnm.csHigh entropy of concatenated method names: 'ptknDLQ2go', 'VCPngRJaAJ', 'p0En3nmYJi', 'r0dnB0JWh4', 'LGOnpGI8mL', 'eLtnyNAr0t', 'stynfMFiol', 'qplnoFdTmo', 'XgXnXc9RZi', 'GuXn1wkPGU'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, MBum3wL6jpxgSCOsYl.csHigh entropy of concatenated method names: 'nAnZkt7HkI', 'J1UZdtRg4f', 'T6oc6oREXF', 'MsEcpZXPso', 'FCHcyQau2G', 'pIycNLC65e', 'bKYcfSUTNa', 'eWJcor1Aae', 'CVgctnjres', 'kLycXuhPWn'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, ouDawY57Lhq0xKkI5d.csHigh entropy of concatenated method names: 'HhfH3A0Q0P', 'PtIHB3BlyE', 'JERH6yJIuk', 'UAFHp9mtsB', 'HTQHyK8HSe', 'JVWHNmSbu8', 'fiVHfMugHu', 'Q4xHoqowKv', 'ihUHtIfgLh', 'Cb0HXZ9e8i'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, Qs9jKmtgiShvwmS1ly.csHigh entropy of concatenated method names: 'J7uCP75lII', 'axWCTa9fqp', 'MYkCFMhYth', 'Fa9Cm8AyjX', 'rs4CkaGg3C', 'JCHCJJFDIM', 'xF0CdNkfZE', 'iZgCDaADHX', 'nDxCg2hhTD', 'VifCL1PA4H'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, fdMQ04uv5bAvd0x9Z7U.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hqAb1HlWjT', 'Jt9b4Ob8e5', 'jyDbWuNCWG', 'k3Dbaqcb4X', 'vaob2mgMI5', 'PTjbjJkNYl', 'DmSbQf7GXd'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, TnLgrixmaqLqLuwAmt.csHigh entropy of concatenated method names: 'Dispose', 'DqLu5RToJZ', 'lpXhBvQDH1', 'cIQA4l1AVY', 'QRju0GPOkZ', 'G2VuzNbTP1', 'ProcessDialogKey', 'jpEhvuDawY', 'fLhhuq0xKk', 'q5dhhrnZmK'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, C0v2gSYfebBXrSIvND.csHigh entropy of concatenated method names: 'fbkMUbs8WG', 'QFfM78cwtD', 'ILgMx16RkJ', 'f7sMcChM3B', 'li7MZP9VR6', 'H5IM9Iri5j', 'wiMMCQivNx', 'TJTMYIxt3K', 'cqlMiOsFMa', 'CAUMsWEwdw'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, VSPvCwRdFDqLRToJZW.csHigh entropy of concatenated method names: 'V1cHEiu6in', 'WCCHI0XQPQ', 'gR9HHCx9ST', 'yJHHOblOaT', 'igcHw4yi8p', 'PfqH8IUNuB', 'Dispose', 'Vjqe70hyDh', 'S9Jex2L7kS', 'LrYecskHmP'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, l8I7QaDcXk2PYsIoYp.csHigh entropy of concatenated method names: 'gOkxavZCZa', 'xbDx28akws', 'dxfxjMKtse', 'XWfxQqq4q9', 'MxDxG3TYTj', 'HWLxKhqIJN', 'FqlxRinrUL', 'SiBxrtTWSp', 'Pyix5rckT0', 'Eeex0RY9Ca'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, bbYYxF3SErdu6s5aXh.csHigh entropy of concatenated method names: 'Lyr9UcECKG', 'q2X9xs2MG9', 'Cfe9ZwiFS6', 'OJR9CYVHqK', 'ofk9YunUYm', 'k2oZG3dF9S', 'bD6ZKDi3Nn', 's67ZR9sgGv', 'ctIZrQr9Un', 'dLtZ5UikMd'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, GIN969p26ehoNHS6Jy.csHigh entropy of concatenated method names: 'gIQ98RZh8b', 'OiR9Pxqd2j', 'iMp9FOYxav', 'Ak19mycQQc', 'SjM9JNBhWI', 'wjB9dpYI90', 'nFQ9gIlbPU', 'BTV9L6Jr7k', 'l8uARaCP3l6wftXrW3N', 't44RwICwbg1XIHn2lrm'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, CjVCnTzbdp2nMZgNV1.csHigh entropy of concatenated method names: 'KmSbJ0MD3S', 'ae3bDTIwu0', 'nyGbgig6sP', 'qnbb33cQcU', 'rW9bBSMqjd', 'FeHbpQYlmg', 'IZ9byjo9SA', 'srPb8mgIDg', 'jsBbPaJZs5', 'SkybTHK2xB'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.35a7580.2.raw.unpack, YpRJK7Kf6BsPf4wUhW.csHigh entropy of concatenated method names: 'Og9IrHQtEp', 'IAVI0IvVD2', 'BijevO1rno', 'g7peujNojR', 'rsPI1Ab4ps', 'oHPI41QL1d', 'VXJIWNBEmm', 'dIaIaelZrm', 'jIoI2ddDn9', 'XNmIjkpHYL'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, gp9e8nuurPapEMh55ef.csHigh entropy of concatenated method names: 'CZub0lVavd', 'Lq8bz9JCtJ', 'DGtOv0UAl5', 'RDEOuPMJIS', 'bDOOh4GZWB', 'd4IOMNcKuE', 'lhhOA35Aus', 'ffvOU2WCmd', 'KJ9O7lBgfF', 'kNhOxVaJ3T'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, SaoQMVga0dKmqCmBUR.csHigh entropy of concatenated method names: 'DKOcm7sdF5', 'nlycJhlLwT', 'LjVcDmSdta', 'aA5cgWQJP1', 'OnKcEE1U39', 'A7ycSxeUvj', 'wOCcIKWjWV', 'dLZceWZguS', 'YEQcHImwvA', 'ucgcbnpYkD'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, YS9xHGajdZDpHY6vxG.csHigh entropy of concatenated method names: 'g4XEXHjeI8', 'alPE4iyNwm', 'XcUEaCEIJb', 'omEE2Dew9H', 'mtjEBtaxUS', 'EQYE66vQBV', 'DJmEpui7W5', 'BMuEyykcDv', 'vrIENyvX07', 'GjiEfThyD6'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, cEjiH4AkU4FRKdjpu9.csHigh entropy of concatenated method names: 'MuiuC8I7Qa', 'gXkuY2PYsI', 'ma0usdKmqC', 'ABUuVRtBum', 'jOsuEYlubY', 'kxFuSSErdu', 'EXGA2L9FO63Rf1DElX', 'B6YGfSrgw8xHfYSoG3', 'FIpuu7gKVt', 'YbnuM2HvM2'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, WnZmKV0mcDiJCxdulQ.csHigh entropy of concatenated method names: 'L85bc51HGp', 'OfybZmE5ex', 'yV4b9LU7fQ', 'LCPbCkBTtY', 'FW2bHrbi71', 'OydbYakoso', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, SqGbmHuAlvtiiBPP0Ki.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FYHlHTZqfo', 'vEFlbPpWtq', 'fMJlO7YCfj', 'KQ9llFSglD', 'l5LlwwZuvP', 'gjZlqXXFWG', 'uAql8sTvVy'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, NKvZieN2X0WbeJmkQa.csHigh entropy of concatenated method names: 'oae9jp5D1J', 'KQG9QXHv9Z', 'r8A9GUCDfV', 'ToString', 'jjx9KMhUHB', 'G5q9RtYH6H', 'obWvyICnpDwkN4OAjVy', 'psUMfYCaqo4DvMDcXX9', 'D6mlebCbfj07qy06LYh'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, ojy3lVuhXRFfXlUQUAp.csHigh entropy of concatenated method names: 'ToString', 'zsoODcRQS4', 'ULuOgnMvki', 'GbdOLoSy9T', 't9HO3RDUam', 'vatOBsLbKG', 'GuGO6pve13', 'USwOp8G7Yy', 'OnE6A1sQolr8yvTvSmJ', 'fwFwo9sW6j5dEP0he6Z'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, hphorVBVdgDdMyUfcY.csHigh entropy of concatenated method names: 'LcO3rwCvoULIt6LVBsw', 'XmDMs4CD5KXeRhoC0Ji', 'Ybr9eYAOPJ', 'v7Z9HWbkY2', 'oDH9bqH1YE', 'tkEY7uCXfwpkwKWdmuV', 'aOToiACjyDWxOjcZ4dv'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, pluHpQhoVyGOkcwkDA.csHigh entropy of concatenated method names: 'JXfF7QF1Y', 'HJ2mTIThI', 'd9hJ7bBdG', 'ITodUxTL4', 'O4Ag78upU', 'EfLL8iJqH', 'M4lVNleP8fBKvME5QG', 'GlcELnxEo50ruZAmUd', 'kWVeRBox0', 'UOPbbkGkx'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, JqM2EtcTMZICegRNmI.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PrOh5njGPK', 'yUYh0TDZUb', 'tdOhzRj9xT', 'e2NMv28yFd', 'GDAMuZ3aKI', 'x0aMhTSfbj', 'wwcMM7qX8O', 'KRYBvxWSd6csPKNHfHi'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, P1sRiJjtmA026wQ8o5.csHigh entropy of concatenated method names: 'ToString', 'nPxS1n2xWT', 'VONSBkoTgK', 'GlcS6pibnk', 'jiySpSNmcE', 'FSXSyM2Rbv', 'UxySNxYaZU', 'OQTSfdR2pG', 'YlaSo29IoA', 'HLlSth9K5k'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, Obv90fQXEGtsvP0qgn.csHigh entropy of concatenated method names: 'UYuIsKA9go', 'HRgIV8ybXm', 'ToString', 'zmBI7RUaeT', 'AmfIxweHV1', 'RNsIcm7H2g', 'k2bIZwMpgW', 'ssfI9urFnh', 'SxwIChNlZZ', 'VniIYS9mtO'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, YkMb9uWWdZ2Z9Y2Fnm.csHigh entropy of concatenated method names: 'ptknDLQ2go', 'VCPngRJaAJ', 'p0En3nmYJi', 'r0dnB0JWh4', 'LGOnpGI8mL', 'eLtnyNAr0t', 'stynfMFiol', 'qplnoFdTmo', 'XgXnXc9RZi', 'GuXn1wkPGU'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, MBum3wL6jpxgSCOsYl.csHigh entropy of concatenated method names: 'nAnZkt7HkI', 'J1UZdtRg4f', 'T6oc6oREXF', 'MsEcpZXPso', 'FCHcyQau2G', 'pIycNLC65e', 'bKYcfSUTNa', 'eWJcor1Aae', 'CVgctnjres', 'kLycXuhPWn'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, ouDawY57Lhq0xKkI5d.csHigh entropy of concatenated method names: 'HhfH3A0Q0P', 'PtIHB3BlyE', 'JERH6yJIuk', 'UAFHp9mtsB', 'HTQHyK8HSe', 'JVWHNmSbu8', 'fiVHfMugHu', 'Q4xHoqowKv', 'ihUHtIfgLh', 'Cb0HXZ9e8i'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, Qs9jKmtgiShvwmS1ly.csHigh entropy of concatenated method names: 'J7uCP75lII', 'axWCTa9fqp', 'MYkCFMhYth', 'Fa9Cm8AyjX', 'rs4CkaGg3C', 'JCHCJJFDIM', 'xF0CdNkfZE', 'iZgCDaADHX', 'nDxCg2hhTD', 'VifCL1PA4H'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, fdMQ04uv5bAvd0x9Z7U.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hqAb1HlWjT', 'Jt9b4Ob8e5', 'jyDbWuNCWG', 'k3Dbaqcb4X', 'vaob2mgMI5', 'PTjbjJkNYl', 'DmSbQf7GXd'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, TnLgrixmaqLqLuwAmt.csHigh entropy of concatenated method names: 'Dispose', 'DqLu5RToJZ', 'lpXhBvQDH1', 'cIQA4l1AVY', 'QRju0GPOkZ', 'G2VuzNbTP1', 'ProcessDialogKey', 'jpEhvuDawY', 'fLhhuq0xKk', 'q5dhhrnZmK'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, C0v2gSYfebBXrSIvND.csHigh entropy of concatenated method names: 'fbkMUbs8WG', 'QFfM78cwtD', 'ILgMx16RkJ', 'f7sMcChM3B', 'li7MZP9VR6', 'H5IM9Iri5j', 'wiMMCQivNx', 'TJTMYIxt3K', 'cqlMiOsFMa', 'CAUMsWEwdw'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, VSPvCwRdFDqLRToJZW.csHigh entropy of concatenated method names: 'V1cHEiu6in', 'WCCHI0XQPQ', 'gR9HHCx9ST', 'yJHHOblOaT', 'igcHw4yi8p', 'PfqH8IUNuB', 'Dispose', 'Vjqe70hyDh', 'S9Jex2L7kS', 'LrYecskHmP'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, l8I7QaDcXk2PYsIoYp.csHigh entropy of concatenated method names: 'gOkxavZCZa', 'xbDx28akws', 'dxfxjMKtse', 'XWfxQqq4q9', 'MxDxG3TYTj', 'HWLxKhqIJN', 'FqlxRinrUL', 'SiBxrtTWSp', 'Pyix5rckT0', 'Eeex0RY9Ca'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, bbYYxF3SErdu6s5aXh.csHigh entropy of concatenated method names: 'Lyr9UcECKG', 'q2X9xs2MG9', 'Cfe9ZwiFS6', 'OJR9CYVHqK', 'ofk9YunUYm', 'k2oZG3dF9S', 'bD6ZKDi3Nn', 's67ZR9sgGv', 'ctIZrQr9Un', 'dLtZ5UikMd'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, GIN969p26ehoNHS6Jy.csHigh entropy of concatenated method names: 'gIQ98RZh8b', 'OiR9Pxqd2j', 'iMp9FOYxav', 'Ak19mycQQc', 'SjM9JNBhWI', 'wjB9dpYI90', 'nFQ9gIlbPU', 'BTV9L6Jr7k', 'l8uARaCP3l6wftXrW3N', 't44RwICwbg1XIHn2lrm'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, CjVCnTzbdp2nMZgNV1.csHigh entropy of concatenated method names: 'KmSbJ0MD3S', 'ae3bDTIwu0', 'nyGbgig6sP', 'qnbb33cQcU', 'rW9bBSMqjd', 'FeHbpQYlmg', 'IZ9byjo9SA', 'srPb8mgIDg', 'jsBbPaJZs5', 'SkybTHK2xB'
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.6aa0000.6.raw.unpack, YpRJK7Kf6BsPf4wUhW.csHigh entropy of concatenated method names: 'Og9IrHQtEp', 'IAVI0IvVD2', 'BijevO1rno', 'g7peujNojR', 'rsPI1Ab4ps', 'oHPI41QL1d', 'VXJIWNBEmm', 'dIaIaelZrm', 'jIoI2ddDn9', 'XNmIjkpHYL'

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 1964, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: 2220000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: 2420000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: 4420000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: 87B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: 7150000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: 97B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: A7B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7913Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1624Jump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe TID: 4808Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2451546590.000000000120E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeProcess created: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 1964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 7332, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 1964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 7332, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 1964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 7332, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2453692223.0000000003285000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 1964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 7332, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 1964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 7332, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 1964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 7332, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 6.2.SIP_20252701095738583757327401213.bat.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.34a3b28.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SIP_20252701095738583757327401213.bat.exe.348cd08.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 1964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SIP_20252701095738583757327401213.bat.exe PID: 7332, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object Model1
                  Data from Local System                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                  Software Packing                  		DCSync13
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634988 Sample: SIP_20252701095738583757327... Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 26 reallyfreegeoip.org 2->26 28 checkip.dyndns.org 2->28 30 checkip.dyndns.com 2->30 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 44 9 other signatures 2->44 8 SIP_20252701095738583757327401213.bat.exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 26->42 process4 file5 24 SIP_20252701095738...7401213.bat.exe.log, ASCII 8->24 dropped 46 Adds a directory exclusion to Windows Defender 8->46 12 SIP_20252701095738583757327401213.bat.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        18 SIP_20252701095738583757327401213.bat.exe 8->18         started        signatures6 process7 dnsIp8 32 checkip.dyndns.com 193.122.6.168, 49696, 80 ORACLE-BMC-31898US United States 12->32 34 reallyfreegeoip.org 104.21.64.1, 443, 49698 CLOUDFLARENETUS United States 12->34 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal browser information (history, passwords, etc) 12->50 52 Loading BitLocker PowerShell Module 16->52 20 WmiPrvSE.exe 16->20         started        22 conhost.exe 16->22         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SIP_20252701095738583757327401213.bat.exe32%ReversingLabs
                  SIP_20252701095738583757327401213.bat.exe38%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.64.1
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		193.122.6.168
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189lSIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.comdSIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.org/qSIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://reallyfreegeoip.orgdSIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://reallyfreegeoip.org/xml/8.46.123.189dSIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://reallyfreegeoip.orgSIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.orgdSIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://reallyfreegeoip.orgSIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.orgSIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.comSIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.org/dSIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1266324152.0000000002470000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.chiark.greenend.org.uk/~sgtatham/putty/0SIP_20252701095738583757327401213.bat.exefalse
                                                      		high
                                                      https://api.telegram.org/bot-/sendDocument?chat_id=SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://reallyfreegeoip.org/xml/SIP_20252701095738583757327401213.bat.exe, 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SIP_20252701095738583757327401213.bat.exe, 00000006.00000002.2453692223.00000000031AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          193.122.6.168
                                                          		checkip.dyndns.comUnited States
                                                          		31898ORACLE-BMC-31898USfalse
                                                          104.21.64.1
                                                          		reallyfreegeoip.orgUnited States
                                                          		13335CLOUDFLARENETUSfalse

                                                          General Information

                                                          Joe Sandbox version:42.0.0 Malachite
                                                          Analysis ID:1634988
                                                          Start date and time:2025-03-11 08:53:05 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 6m 13s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:17
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:SIP_20252701095738583757327401213.bat.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@9/6@2/2
                                                          EGA Information:
                                                          • Successful, ratio: 50%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 68
                                                          • Number of non-executed functions: 2
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 104.96.149.92, 52.149.20.212
                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target SIP_20252701095738583757327401213.bat.exe, PID 7332 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          03:53:57API Interceptor1x Sleep call for process: SIP_20252701095738583757327401213.bat.exe modified
                                                          03:54:04API Interceptor16x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          193.122.6.1684kobC6KGC3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • checkip.dyndns.org/
                                                          p7wgyD3kbI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • checkip.dyndns.org/
                                                          hcy2SdW2z6.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • checkip.dyndns.org/
                                                          C7fclY8IiM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • checkip.dyndns.org/
                                                          oybsEA5EhR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • checkip.dyndns.org/
                                                          REQ. NO.237.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • checkip.dyndns.org/
                                                          vkd6SXGk6Z.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          dZwh4PQRW5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          q7gFxqPoKo.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • checkip.dyndns.org/
                                                          q7gFxqPoKo.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • checkip.dyndns.org/
                                                          104.21.64.1Compliance_Review_Documents_COSCO20250307_pdf.bat.exeGet hashmaliciousLokibotBrowse
                                                          • touxzw.ir/sccc/five/fre.php
                                                          0xHPSESJcg.exeGet hashmaliciousFormBookBrowse
                                                          • www.otogel.pro/oi08/?Ezu=HLGOigk8zC7c6l2lrMh01rQ2OJKxivxPRh38Fqcsh+790en3zOTPiNsvxvX68DUiI9Ju&q6A=GbtXjbKPa
                                                          7zKn77RsRX.exeGet hashmaliciousFormBookBrowse
                                                          • www.newanthoperso.shop/3nis/
                                                          IBbGrGi4A7.exeGet hashmaliciousFormBookBrowse
                                                          • www.rbopisalive.cyou/a669/
                                                          ysWQ4BqQrF.exeGet hashmaliciousFormBookBrowse
                                                          • www.play-vanguard-nirvana.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDzbC4NqmTLwL8cGw==
                                                          TXzf0xX2uq.exeGet hashmaliciousLokibotBrowse
                                                          • touxzw.ir/tking3/five/fre.php
                                                          begin.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                          • www.kdrqcyusevx.info/z84n/
                                                          Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exeGet hashmaliciousLokibotBrowse
                                                          • touxzw.ir/fix/five/fre.php
                                                          Payment.exeGet hashmaliciousLokibotBrowse
                                                          • touxzw.ir/sccc/five/fre.php
                                                          7RryusxiMtHBz80.exeGet hashmaliciousLokibotBrowse
                                                          • touxzw.ir/sss2/five/fre.php

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          checkip.dyndns.comSHIPPING ADVICE#2025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.130.0
                                                          BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 132.226.247.73
                                                          rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 193.122.130.0
                                                          rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 158.101.44.242
                                                          4kobC6KGC3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 193.122.6.168
                                                          z101007R1DRG.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.130.0
                                                          SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 158.101.44.242
                                                          uyqMsPsOG1.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 132.226.8.169
                                                          hKYhCefzJK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 193.122.130.0
                                                          p7wgyD3kbI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 193.122.6.168
                                                          reallyfreegeoip.orgSHIPPING ADVICE#2025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.80.1
                                                          BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.32.1
                                                          rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.16.1
                                                          rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.96.1
                                                          4kobC6KGC3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.16.1
                                                          uyqMsPsOG1.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.48.1
                                                          hKYhCefzJK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.48.1
                                                          p7wgyD3kbI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.112.1
                                                          pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.96.1

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ORACLE-BMC-31898USSHIPPING ADVICE#2025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.130.0
                                                          rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 193.122.130.0
                                                          rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 158.101.44.242
                                                          4kobC6KGC3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 193.122.6.168
                                                          z101007R1DRG.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.130.0
                                                          SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 158.101.44.242
                                                          hKYhCefzJK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 193.122.130.0
                                                          p7wgyD3kbI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 193.122.6.168
                                                          pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 158.101.44.242
                                                          hcy2SdW2z6.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 193.122.6.168
                                                          CLOUDFLARENETUSSHIPPING ADVICE#2025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.80.1
                                                          f1215887448.exeGet hashmaliciousUnknownBrowse
                                                          • 104.16.99.29
                                                          https://u1.overuseunderuse.shop/Siarhei_Korbut_-_Unwed.mp3Get hashmaliciousUnknownBrowse
                                                          • 104.21.16.1
                                                          BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.32.1
                                                          p2phAgw7lp.lnkGet hashmaliciousUnknownBrowse
                                                          • 104.21.62.177
                                                          pesanan09900011.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.199.232
                                                          https://mr.nerfcancun.top/Get hashmaliciousUnknownBrowse
                                                          • 104.21.75.61
                                                          rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.16.1
                                                          rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.96.1
                                                          Compliance_Review_Documents_COSCO20250307_pdf.bat.exeGet hashmaliciousLokibotBrowse
                                                          • 104.21.64.1

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          54328bd36c14bd82ddaa0c04b25ed9adSHIPPING ADVICE#2025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.64.1
                                                          BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.64.1
                                                          rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          4kobC6KGC3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.64.1
                                                          uyqMsPsOG1.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.64.1
                                                          hKYhCefzJK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          p7wgyD3kbI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.64.1
                                                          pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.64.1

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SIP_20252701095738583757327401213.bat.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:true
                                                          Reputation:high, very likely benign file
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2232
                                                          Entropy (8bit):5.379552885213346
                                                          Encrypted:false
                                                          SSDEEP:48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//YM0Uyus:fLHxvCsIfA2KRHmOug81s
                                                          MD5:94DC6DDD1B20A9D38645C8A92BB268EB
                                                          SHA1:29BF6C96B5F2C36FD6522943CF063336228D486E
                                                          SHA-256:6D955BC074CC7A6061D3884458D5E36A5CA0451786BD742187281F3410F4B2E6
                                                          SHA-512:4491DDE25657A52C10E9A30CE4EB86719714363D0E371E848B3501575523CC209867DD50065B0E6A393AF643CE86E30A274265645E558AA4DA31372462EE3D75
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ijujaj5.kth.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_30haz1jj.5y3.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_luxbpmlw.sm5.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phfbcdm4.4ow.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.77038465391948
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                          • Win32 Executable (generic) a (10002005/4) 49.93%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:SIP_20252701095738583757327401213.bat.exe
                                                          File size:538'120 bytes
                                                          MD5:9182b0dd46fcfb344d576fbd13b81538
                                                          SHA1:f10c41ce064b119d599ab7cfb306eff801adaa33
                                                          SHA256:b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85
                                                          SHA512:fd567edf3ad5ad850ddd7011ef1028da3362b42037fca52125d1c8acc23d53912058b2f0de68c6db0de932b7447d318021f69ce2465e370e3415f3c4184f4677
                                                          SSDEEP:12288:6buc154ghhTGUQisCVyDjfwj5sukQHSNIqiVYLwYFT0HaXQee3SkR:6buaOuyPwj5vkQHZqiOLDvO
                                                          TLSH:BBB4F195E3B8EF91D5B05BB00D71E23207B96E2EE430E2465DD8ACDB34A1764302976F
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`...............0.................. ... ....@.. .......................`............@................................

                                                          File Icon

                                                          Icon Hash:32ceac86b2968ee0

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4807c2
                                                          Entrypoint Section:.text
                                                          Digitally signed:true
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0xD360E883 [Mon May 18 15:25:55 2082 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Authenticode Signature

                                                          Signature Valid:false
                                                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                          Signature Validation Error:The digital signature of the object did not verify
                                                          Error Number:-2146869232
                                                          Not Before, Not After
                                                          • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                          Subject Chain
                                                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                          Version:3
                                                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                          Serial:7C1118CBBADC95DA3752C46E47A27438

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8076f0x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x13dc.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x800000x3608
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x7e64c0x70.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x7e7c80x7e80017a64eeafe04e7c5e0f4d333eb1751f9False0.9016200129693676data7.781630403619485IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x820000x13dc0x1400c44efb9605a5deb9f5d518acc0ddefd5False0.324609375data4.777112280087591IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x840000xc0x200d70b232239be5afc6e6cb760dd018e27False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x821300xda8Device independent bitmap graphic, 26 x 64 x 32, image size 33280.2620137299771167
                                                          RT_GROUP_ICON0x82ed80x14data1.1
                                                          RT_VERSION0x82eec0x304data0.4339378238341969
                                                          RT_MANIFEST0x831f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          Comments
                                                          CompanyName
                                                          FileDescriptionAdminDB
                                                          FileVersion1.0.0.0
                                                          InternalNamefOXZ.exe
                                                          LegalCopyrightCopyright 2024
                                                          LegalTrademarks
                                                          OriginalFilenamefOXZ.exe
                                                          ProductNameAdminDB
                                                          ProductVersion1.0.0.0
                                                          Assembly Version1.0.0.0

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2025-03-11T08:54:06.437892+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649696193.122.6.16880TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 11, 2025 08:54:05.493405104 CET4969680192.168.2.6193.122.6.168
                                                          Mar 11, 2025 08:54:05.498368979 CET8049696193.122.6.168192.168.2.6
                                                          Mar 11, 2025 08:54:05.498456001 CET4969680192.168.2.6193.122.6.168
                                                          Mar 11, 2025 08:54:05.498717070 CET4969680192.168.2.6193.122.6.168
                                                          Mar 11, 2025 08:54:05.503634930 CET8049696193.122.6.168192.168.2.6
                                                          Mar 11, 2025 08:54:06.184909105 CET8049696193.122.6.168192.168.2.6
                                                          Mar 11, 2025 08:54:06.195197105 CET4969680192.168.2.6193.122.6.168
                                                          Mar 11, 2025 08:54:06.200139046 CET8049696193.122.6.168192.168.2.6
                                                          Mar 11, 2025 08:54:06.397372007 CET8049696193.122.6.168192.168.2.6
                                                          Mar 11, 2025 08:54:06.437891960 CET4969680192.168.2.6193.122.6.168
                                                          Mar 11, 2025 08:54:06.457711935 CET49698443192.168.2.6104.21.64.1
                                                          Mar 11, 2025 08:54:06.457760096 CET44349698104.21.64.1192.168.2.6
                                                          Mar 11, 2025 08:54:06.458075047 CET49698443192.168.2.6104.21.64.1
                                                          Mar 11, 2025 08:54:06.487277985 CET49698443192.168.2.6104.21.64.1
                                                          Mar 11, 2025 08:54:06.487303019 CET44349698104.21.64.1192.168.2.6
                                                          Mar 11, 2025 08:54:08.216104984 CET44349698104.21.64.1192.168.2.6
                                                          Mar 11, 2025 08:54:08.216166019 CET49698443192.168.2.6104.21.64.1
                                                          Mar 11, 2025 08:54:08.221227884 CET49698443192.168.2.6104.21.64.1
                                                          Mar 11, 2025 08:54:08.221235991 CET44349698104.21.64.1192.168.2.6
                                                          Mar 11, 2025 08:54:08.221749067 CET44349698104.21.64.1192.168.2.6
                                                          Mar 11, 2025 08:54:08.297048092 CET49698443192.168.2.6104.21.64.1
                                                          Mar 11, 2025 08:54:08.336030960 CET49698443192.168.2.6104.21.64.1
                                                          Mar 11, 2025 08:54:08.380321980 CET44349698104.21.64.1192.168.2.6
                                                          Mar 11, 2025 08:54:08.717541933 CET44349698104.21.64.1192.168.2.6
                                                          Mar 11, 2025 08:54:08.717642069 CET44349698104.21.64.1192.168.2.6
                                                          Mar 11, 2025 08:54:08.717715025 CET49698443192.168.2.6104.21.64.1
                                                          Mar 11, 2025 08:54:08.725811005 CET49698443192.168.2.6104.21.64.1
                                                          Mar 11, 2025 08:55:11.399687052 CET8049696193.122.6.168192.168.2.6
                                                          Mar 11, 2025 08:55:11.401567936 CET4969680192.168.2.6193.122.6.168
                                                          Mar 11, 2025 08:55:46.407058001 CET4969680192.168.2.6193.122.6.168
                                                          Mar 11, 2025 08:55:46.412108898 CET8049696193.122.6.168192.168.2.6

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 11, 2025 08:54:05.454104900 CET6094553192.168.2.61.1.1.1
                                                          Mar 11, 2025 08:54:05.461364031 CET53609451.1.1.1192.168.2.6
                                                          Mar 11, 2025 08:54:06.447204113 CET5617353192.168.2.61.1.1.1
                                                          Mar 11, 2025 08:54:06.455615044 CET53561731.1.1.1192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Mar 11, 2025 08:54:05.454104900 CET192.168.2.61.1.1.10x5271Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:06.447204113 CET192.168.2.61.1.1.10xe06dStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Mar 11, 2025 08:54:05.461364031 CET1.1.1.1192.168.2.60x5271No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                          Mar 11, 2025 08:54:05.461364031 CET1.1.1.1192.168.2.60x5271No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:05.461364031 CET1.1.1.1192.168.2.60x5271No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:05.461364031 CET1.1.1.1192.168.2.60x5271No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:05.461364031 CET1.1.1.1192.168.2.60x5271No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:05.461364031 CET1.1.1.1192.168.2.60x5271No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:06.455615044 CET1.1.1.1192.168.2.60xe06dNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:06.455615044 CET1.1.1.1192.168.2.60xe06dNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:06.455615044 CET1.1.1.1192.168.2.60xe06dNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:06.455615044 CET1.1.1.1192.168.2.60xe06dNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:06.455615044 CET1.1.1.1192.168.2.60xe06dNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:06.455615044 CET1.1.1.1192.168.2.60xe06dNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                          Mar 11, 2025 08:54:06.455615044 CET1.1.1.1192.168.2.60xe06dNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • reallyfreegeoip.org
                                                          • checkip.dyndns.org

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.649696193.122.6.168807332C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe
                                                          TimestampBytes transferredDirectionData
                                                          Mar 11, 2025 08:54:05.498717070 CET151OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                          Host: checkip.dyndns.org
                                                          Connection: Keep-Alive
                                                          Mar 11, 2025 08:54:06.184909105 CET273INHTTP/1.1 200 OK
                                                          Date: Tue, 11 Mar 2025 07:54:06 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 104
                                                          Connection: keep-alive
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                          Mar 11, 2025 08:54:06.195197105 CET127OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                          Host: checkip.dyndns.org
                                                          Mar 11, 2025 08:54:06.397372007 CET273INHTTP/1.1 200 OK
                                                          Date: Tue, 11 Mar 2025 07:54:06 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 104
                                                          Connection: keep-alive
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.649698104.21.64.14437332C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-03-11 07:54:08 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                          Host: reallyfreegeoip.org
                                                          Connection: Keep-Alive
                                                          2025-03-11 07:54:08 UTC851INHTTP/1.1 200 OK
                                                          Date: Tue, 11 Mar 2025 07:54:08 GMT
                                                          Content-Type: text/xml
                                                          Content-Length: 362
                                                          Connection: close
                                                          Age: 89561
                                                          Cache-Control: max-age=31536000
                                                          cf-cache-status: HIT
                                                          last-modified: Mon, 10 Mar 2025 07:01:26 GMT
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UZ7iKWiJUvHfaRD7046iyNHGCHWDQIERmAJNIk0opZ8Rqv1DcuQQlHnN6BMyocwJhDjkQiC4SijFrEwAxHd%2FAowrh6sWBK36iGZvHkqO8visbYu7KCgjguUpBK3OuAENLCFu9iF2"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 91e97b6b3f3e0805-IAD
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=23146&min_rtt=22062&rtt_var=7010&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=119570&cwnd=236&unsent_bytes=0&cid=d166c8434620d99c&ts=628&x=0"
                                                          2025-03-11 07:54:08 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:03:53:57
                                                          Start date:11/03/2025
                                                          Path:C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"
                                                          Imagebase:0x80000
                                                          File size:538'120 bytes
                                                          MD5 hash:9182B0DD46FCFB344D576FBD13B81538
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1270299842.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:03:54:03
                                                          Start date:11/03/2025
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"
                                                          Imagebase:0xe90000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:03:54:03
                                                          Start date:11/03/2025
                                                          Path:C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"
                                                          Imagebase:0x210000
                                                          File size:538'120 bytes
                                                          MD5 hash:9182B0DD46FCFB344D576FBD13B81538
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:03:54:03
                                                          Start date:11/03/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff68dae0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:03:54:03
                                                          Start date:11/03/2025
                                                          Path:C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\SIP_20252701095738583757327401213.bat.exe"
                                                          Imagebase:0xd60000
                                                          File size:538'120 bytes
                                                          MD5 hash:9182B0DD46FCFB344D576FBD13B81538
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2451051118.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2453692223.0000000003285000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:false

                                                          General

                                                          Target ID:13
                                                          Start time:03:54:06
                                                          Start date:11/03/2025
                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                          Imagebase:0x7ff65f400000
                                                          File size:496'640 bytes
                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                          Has elevated privileges:true
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >