Edit tour

Windows Analysis Report
D9876543456780000.exe

Overview

General Information

Sample name:	D9876543456780000.exe
Analysis ID:	1629967
MD5:	1fede4be782e73bb402f202e355f8e5d
SHA1:	a744d7c42b304da92d9ba36c674cb44d4b1cfab8
SHA256:	7b408a4b96dafc7827412d9e9caf5075e0fd398c58d22ea3607399f609d3a88f
Tags:	exeuser-threatcat_ch
Infos:

Detection

AgentTesla, DBatLoader, PureLog Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected DBatLoader

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

D9876543456780000.exe (PID: 5264 cmdline: "C:\Users\user\Desktop\D9876543456780000.exe" MD5: 1FEDE4BE782E73BB402F202E355F8E5D)

cmd.exe (PID: 6924 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\863.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5348 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\41175.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rwmbmyrA.pif (PID: 4312 cmdline: C:\\Users\\user\\Links\rwmbmyrA.pif MD5: C116D3604CEAFE7057D77FF27552C215)

Arymbmwr.PIF (PID: 4448 cmdline: "C:\Users\user\Links\Arymbmwr.PIF" MD5: 1FEDE4BE782E73BB402F202E355F8E5D)

rwmbmyrA.pif (PID: 6976 cmdline: C:\\Users\\user\\Links\rwmbmyrA.pif MD5: C116D3604CEAFE7057D77FF27552C215)

Arymbmwr.PIF (PID: 2200 cmdline: "C:\Users\user\Links\Arymbmwr.PIF" MD5: 1FEDE4BE782E73BB402F202E355F8E5D)

rwmbmyrA.pif (PID: 5704 cmdline: C:\\Users\\user\\Links\rwmbmyrA.pif MD5: C116D3604CEAFE7057D77FF27552C215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1959828527.000000003367E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000001.1808799246.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000002.2930555971.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
0000000C.00000001.1895125700.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1924122162.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.2952506379.000000003223D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
0000000C.00000002.2952506379.0000000032212000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2952506379.0000000032212000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1846366620.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
00000007.00000002.1867501454.000000001CA42000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1867501454.000000001CA42000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1691814466.000000000234D000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000007.00000001.1690006948.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.1867501454.000000001CA6E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1959828527.0000000033652000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1959828527.0000000033652000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rwmbmyrA.pif PID: 4312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rwmbmyrA.pif PID: 4312	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rwmbmyrA.pif PID: 6976	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rwmbmyrA.pif PID: 6976	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rwmbmyrA.pif PID: 5704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rwmbmyrA.pif PID: 5704	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 74 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.1.rwmbmyrA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.rwmbmyrA.pif.1da65390.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1da65390.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1da65390.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1da65390.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1da65390.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
12.2.rwmbmyrA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.1da65390.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1da65390.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1da65390.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1da65390.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1da65390.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.33590000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.33590000.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.33590000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.33590000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.33590000.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
7.1.rwmbmyrA.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.rwmbmyrA.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.rwmbmyrA.pif.34625570.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.34625570.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.34625570.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.34625570.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40463:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4057f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40781:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.34625570.7.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a29b:$s2: GetPrivateProfileString 0x3d585:$s3: get_OSFullName 0x3aa3b:$s5: remove_Key 0x3aa5b:$s5: remove_Key 0x3d9e0:$s6: FtpWebRequest 0x403d3:$s7: logins 0x40945:$s7: logins 0x43628:$s7: logins 0x43708:$s7: logins 0x467d6:$s7: logins 0x442a2:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.34675390.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.34675390.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.34675390.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.34675390.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.34675390.6.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.34660000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.34660000.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.34660000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.34660000.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40463:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4057f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40781:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.34660000.7.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a29b:$s2: GetPrivateProfileString 0x3d585:$s3: get_OSFullName 0x3aa3b:$s5: remove_Key 0x3aa5b:$s5: remove_Key 0x3d9e0:$s6: FtpWebRequest 0x403d3:$s7: logins 0x40945:$s7: logins 0x43628:$s7: logins 0x43708:$s7: logins 0x467d6:$s7: logins 0x442a2:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.331e5570.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.331e5570.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.331e5570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.331e5570.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40463:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4057f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40781:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.331e5570.6.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a29b:$s2: GetPrivateProfileString 0x3d585:$s3: get_OSFullName 0x3aa3b:$s5: remove_Key 0x3aa5b:$s5: remove_Key 0x3d9e0:$s6: FtpWebRequest 0x403d3:$s7: logins 0x40945:$s7: logins 0x43628:$s7: logins 0x43708:$s7: logins 0x467d6:$s7: logins 0x442a2:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.1da15570.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1da15570.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1da15570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1da15570.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40463:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4057f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40781:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1da15570.6.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a29b:$s2: GetPrivateProfileString 0x3d585:$s3: get_OSFullName 0x3aa3b:$s5: remove_Key 0x3aa5b:$s5: remove_Key 0x3d9e0:$s6: FtpWebRequest 0x403d3:$s7: logins 0x40945:$s7: logins 0x43628:$s7: logins 0x43708:$s7: logins 0x467d6:$s7: logins 0x442a2:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.33590f08.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.33590f08.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.33590f08.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.33590f08.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.33590f08.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.33180d8e.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.33180d8e.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.33180d8e.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.33180d8e.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.33180d8e.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
9.2.rwmbmyrA.pif.35ba0000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.35ba0000.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.35ba0000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.35ba0000.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.35ba0000.9.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.1c700d8e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1c700d8e.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1c700d8e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1c700d8e.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1c700d8e.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.3317fe86.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.3317fe86.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.3317fe86.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.3317fe86.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40463:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4057f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40781:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.3317fe86.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a29b:$s2: GetPrivateProfileString 0x3d585:$s3: get_OSFullName 0x3aa3b:$s5: remove_Key 0x3aa5b:$s5: remove_Key 0x3d9e0:$s6: FtpWebRequest 0x403d3:$s7: logins 0x40945:$s7: logins 0x43628:$s7: logins 0x43708:$s7: logins 0x467d6:$s7: logins 0x442a2:$s9: 1.85 (Hash, version 2, native byte-order)
9.3.rwmbmyrA.pif.3157e9d0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.rwmbmyrA.pif.3157e9d0.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.3.rwmbmyrA.pif.3157e9d0.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.3.rwmbmyrA.pif.3157e9d0.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.3.rwmbmyrA.pif.3157e9d0.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.33235390.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.33235390.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.33235390.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.33235390.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.33235390.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.31f60d8e.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.31f60d8e.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.31f60d8e.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.31f60d8e.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.31f60d8e.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
7.3.rwmbmyrA.pif.1ac96d68.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.rwmbmyrA.pif.1ac96d68.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.3.rwmbmyrA.pif.1ac96d68.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.rwmbmyrA.pif.1ac96d68.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.3.rwmbmyrA.pif.1ac96d68.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
12.3.rwmbmyrA.pif.304a08f8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.3.rwmbmyrA.pif.304a08f8.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.3.rwmbmyrA.pif.304a08f8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.rwmbmyrA.pif.304a08f8.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.3.rwmbmyrA.pif.304a08f8.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
12.1.rwmbmyrA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
12.2.rwmbmyrA.pif.34660f08.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.34660f08.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.34660f08.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.34660f08.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.34660f08.8.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.1f740000.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1f740000.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1f740000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1f740000.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1f740000.9.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.33235390.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.33235390.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.33235390.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.33235390.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.33235390.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.rwmbmyrA.pif.1f740000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1f740000.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1f740000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1f740000.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1f740000.9.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.D9876543456780000.exe.28a0000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.31f5fe86.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.31f5fe86.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.31f5fe86.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.31f5fe86.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40463:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4057f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40781:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.31f5fe86.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a29b:$s2: GetPrivateProfileString 0x3d585:$s3: get_OSFullName 0x3aa3b:$s5: remove_Key 0x3aa5b:$s5: remove_Key 0x3d9e0:$s6: FtpWebRequest 0x403d3:$s7: logins 0x40945:$s7: logins 0x43628:$s7: logins 0x43708:$s7: logins 0x467d6:$s7: logins 0x442a2:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.1da16478.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1da16478.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1da16478.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1da16478.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x90201:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x90273:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x902fd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x9038f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x903f9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x9046b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x90501:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x90591:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1da16478.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x8a0ab:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x8d395:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x8a84b:$s5: remove_Key 0x8a86b:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x8d7f0:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x901e3:$s7: logins 0x90755:$s7: logins 0x93438:$s7: logins 0x93518:$s7: logins 0x965e6:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.1da16478.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1da16478.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1da16478.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1da16478.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1da16478.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.331e6478.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.331e6478.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.331e6478.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.34625570.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.34625570.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.34625570.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.34625570.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x91109:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x9117b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x91205:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x91297:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x91301:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x91373:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x91409:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x91499:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.34625570.7.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x8afb3:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x8e29d:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x8b753:$s5: remove_Key 0x8b773:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x8e6f8:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x910eb:$s7: logins 0x9165d:$s7: logins 0x94340:$s7: logins 0x94420:$s7: logins 0x974ee:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.331e6478.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x90201:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x90273:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x902fd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x9038f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x903f9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x9046b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x90501:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x90591:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.331e6478.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x8a0ab:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x8d395:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x8a84b:$s5: remove_Key 0x8a86b:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x8d7f0:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x901e3:$s7: logins 0x90755:$s7: logins 0x93438:$s7: logins 0x93518:$s7: logins 0x965e6:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.1eeb0f08.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1eeb0f08.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1eeb0f08.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1eeb0f08.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1eeb0f08.7.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.34626478.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.34626478.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.34626478.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.34626478.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.34626478.8.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.D9876543456780000.exe.234de48.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.2.rwmbmyrA.pif.1c6ffe86.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1c6ffe86.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1c6ffe86.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1c6ffe86.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40463:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4057f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40781:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1c6ffe86.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a29b:$s2: GetPrivateProfileString 0x3d585:$s3: get_OSFullName 0x3aa3b:$s5: remove_Key 0x3aa5b:$s5: remove_Key 0x3d9e0:$s6: FtpWebRequest 0x403d3:$s7: logins 0x40945:$s7: logins 0x43628:$s7: logins 0x43708:$s7: logins 0x467d6:$s7: logins 0x442a2:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.331e6478.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.331e6478.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.331e6478.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.331e6478.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.331e6478.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
7.1.rwmbmyrA.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0.2.D9876543456780000.exe.234de48.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.2.rwmbmyrA.pif.1da15570.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1da15570.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1da15570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1da15570.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x91109:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x9117b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x91205:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x91297:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x91301:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x91373:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x91409:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x91499:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1da15570.6.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x8afb3:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x8e29d:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x8b753:$s5: remove_Key 0x8b773:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x8e6f8:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x910eb:$s7: logins 0x9165d:$s7: logins 0x94340:$s7: logins 0x94420:$s7: logins 0x974ee:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.1eeb0000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1eeb0000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1eeb0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1eeb0000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40463:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4057f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40781:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1eeb0000.8.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a29b:$s2: GetPrivateProfileString 0x3d585:$s3: get_OSFullName 0x3aa3b:$s5: remove_Key 0x3aa5b:$s5: remove_Key 0x3d9e0:$s6: FtpWebRequest 0x403d3:$s7: logins 0x40945:$s7: logins 0x43628:$s7: logins 0x43708:$s7: logins 0x467d6:$s7: logins 0x442a2:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
12.1.rwmbmyrA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.33590000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.33590000.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.33590000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.33590000.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x403f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40463:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x404ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4057f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x405e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4065b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x406f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40781:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.33590000.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a29b:$s2: GetPrivateProfileString 0x3d585:$s3: get_OSFullName 0x3aa3b:$s5: remove_Key 0x3aa5b:$s5: remove_Key 0x3d9e0:$s6: FtpWebRequest 0x403d3:$s7: logins 0x40945:$s7: logins 0x43628:$s7: logins 0x43708:$s7: logins 0x467d6:$s7: logins 0x442a2:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.33590f08.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.33590f08.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.33590f08.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.33590f08.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.33590f08.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
9.1.rwmbmyrA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 AF 88 44 24 2B 88 44 24 2F B0 73 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.rwmbmyrA.pif.34660f08.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.34660f08.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.34660f08.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.34660f08.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.34660f08.8.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.34700000.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.34700000.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.34700000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.34700000.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.34700000.9.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.34675390.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.34675390.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.34675390.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.34675390.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.34675390.6.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.34700000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.34700000.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.34700000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.34700000.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f4e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f55b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f5e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f6e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f7e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.34700000.9.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39393:$s2: GetPrivateProfileString 0x3c67d:$s3: get_OSFullName 0x39b33:$s5: remove_Key 0x39b53:$s5: remove_Key 0x3cad8:$s6: FtpWebRequest 0x3f4cb:$s7: logins 0x3fa3d:$s7: logins 0x42720:$s7: logins 0x42800:$s7: logins 0x458ce:$s7: logins 0x4339a:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.34660000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.34660000.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.34660000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.34660000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.34660000.7.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.rwmbmyrA.pif.331e5570.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.rwmbmyrA.pif.331e5570.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.rwmbmyrA.pif.331e5570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.rwmbmyrA.pif.331e5570.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x421f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x91109:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x9117b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x422ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x91205:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4237f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x91297:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x423e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x91301:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4245b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x91373:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x424f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x91409:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42581:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x91499:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.rwmbmyrA.pif.331e5570.6.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3c09b:$s2: GetPrivateProfileString 0x8afb3:$s2: GetPrivateProfileString 0x3f385:$s3: get_OSFullName 0x8e29d:$s3: get_OSFullName 0x3c83b:$s5: remove_Key 0x3c85b:$s5: remove_Key 0x8b753:$s5: remove_Key 0x8b773:$s5: remove_Key 0x3f7e0:$s6: FtpWebRequest 0x8e6f8:$s6: FtpWebRequest 0x421d3:$s7: logins 0x42745:$s7: logins 0x45428:$s7: logins 0x45508:$s7: logins 0x485d6:$s7: logins 0x910eb:$s7: logins 0x9165d:$s7: logins 0x94340:$s7: logins 0x94420:$s7: logins 0x974ee:$s7: logins 0x460a2:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.rwmbmyrA.pif.34626478.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.rwmbmyrA.pif.34626478.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.rwmbmyrA.pif.34626478.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.rwmbmyrA.pif.34626478.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x412e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x90201:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4135b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x90273:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x413e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x902fd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41477:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x9038f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x414e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x903f9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41553:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x9046b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x415e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x90501:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41679:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x90591:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.rwmbmyrA.pif.34626478.8.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3b193:$s2: GetPrivateProfileString 0x8a0ab:$s2: GetPrivateProfileString 0x3e47d:$s3: get_OSFullName 0x8d395:$s3: get_OSFullName 0x3b933:$s5: remove_Key 0x3b953:$s5: remove_Key 0x8a84b:$s5: remove_Key 0x8a86b:$s5: remove_Key 0x3e8d8:$s6: FtpWebRequest 0x8d7f0:$s6: FtpWebRequest 0x412cb:$s7: logins 0x4183d:$s7: logins 0x44520:$s7: logins 0x44600:$s7: logins 0x476ce:$s7: logins 0x901e3:$s7: logins 0x90755:$s7: logins 0x93438:$s7: logins 0x93518:$s7: logins 0x965e6:$s7: logins 0x4519a:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 280 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\D9876543456780000.exe, ProcessId: 5264, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\\Users\\user\\Links\Arymbmwr.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\D9876543456780000.exe, ProcessId: 5264, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Arymbmwr

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\user\\Links\rwmbmyrA.pif, CommandLine: C:\\Users\\user\\Links\rwmbmyrA.pif, CommandLine|base64offset|contains: , Image: C:\Users\user\Links\rwmbmyrA.pif, NewProcessName: C:\Users\user\Links\rwmbmyrA.pif, OriginalFileName: C:\Users\user\Links\rwmbmyrA.pif, ParentCommandLine: "C:\Users\user\Desktop\D9876543456780000.exe", ParentImage: C:\Users\user\Desktop\D9876543456780000.exe, ParentProcessId: 5264, ParentProcessName: D9876543456780000.exe, ProcessCommandLine: C:\\Users\\user\\Links\rwmbmyrA.pif, ProcessId: 4312, ProcessName: rwmbmyrA.pif

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T11:46:33.335234+0100	2029927	1	A Network Trojan was detected	192.168.2.8	49714	162.241.62.63	21	TCP
2025-03-05T11:46:43.078636+0100	2029927	1	A Network Trojan was detected	192.168.2.8	49719	162.241.62.63	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T11:46:33.744281+0100	2855542	1	A Network Trojan was detected	192.168.2.8	49717	162.241.62.63	45550	TCP
2025-03-05T11:46:33.751695+0100	2855542	1	A Network Trojan was detected	192.168.2.8	49717	162.241.62.63	45550	TCP
2025-03-05T11:46:43.489411+0100	2855542	1	A Network Trojan was detected	192.168.2.8	49720	162.241.62.63	36812	TCP
2025-03-05T11:46:43.495505+0100	2855542	1	A Network Trojan was detected	192.168.2.8	49720	162.241.62.63	36812	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: D9876543456780000.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Links\Arymbmwr.PIF

Avira: detection malicious, Label: TR/AD.Nekark.rwuho

Found malware configuration

Source: 12.2.rwmbmyrA.pif.34700000.9.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Links\Arymbmwr.PIF	ReversingLabs: Detection: 31%
Source: C:\Users\user\Links\Arymbmwr.PIF	Virustotal: Detection: 27%			Perma Link

Multi AV Scanner detection for submitted file

Source: D9876543456780000.exe	Virustotal: Detection: 27%			Perma Link
Source: D9876543456780000.exe	ReversingLabs: Detection: 31%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Links\rwmbmyrA.pif	Unpacked PE file: 7.2.rwmbmyrA.pif.400000.1.unpack
Source: C:\Users\user\Links\rwmbmyrA.pif	Unpacked PE file: 9.2.rwmbmyrA.pif.400000.0.unpack
Source: C:\Users\user\Links\rwmbmyrA.pif	Unpacked PE file: 12.2.rwmbmyrA.pif.400000.0.unpack

Source: D9876543456780000.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: easinvoker.pdb source: D9876543456780000.exe, 00000000.00000002.1722849844.00000000205F7000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1722849844.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1683811234.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF80000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1722849844.0000000020580000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF93000.00000004.00001000.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1846366620.0000000000710000.00000040.00000400.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000001.1808799246.0000000000670000.00000040.00000001.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000001.1895125700.0000000000670000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: rwmbmyrA.pif, 00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1865020976.000000001ACD0000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: D9876543456780000.exe, 00000000.00000002.1722849844.00000000205F7000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1722849844.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1685536723.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1685536723.0000000000818000.00000004.00000020.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1683811234.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF80000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1722849844.0000000020580000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF93000.00000004.00001000.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1846366620.0000000000710000.00000040.00000400.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000001.1808799246.0000000000670000.00000040.00000001.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000001.1895125700.0000000000670000.00000040.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028A52F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_028A52F8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.8:49717 -> 162.241.62.63:45550
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.8:49720 -> 162.241.62.63:36812
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.8:49714 -> 162.241.62.63:21
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.8:49719 -> 162.241.62.63:21

Source: global traffic

TCP traffic: 192.168.2.8:49717 -> 162.241.62.63:45550

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.241.62.63 162.241.62.63

Source: unknown

DNS query: name: ip-api.com

Source: unknown

FTP traffic detected: 162.241.62.63:21 -> 192.168.2.8:49714 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 04:46. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 04:46. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 04:46. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ftp.antoniomayol.com

Source: rwmbmyrA.pif, 00000007.00000002.1867501454.000000001CA6E000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1959828527.000000003367E000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2952506379.000000003223D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://antoniomayol.com
Source: rwmbmyrA.pif, 00000007.00000002.1867501454.000000001CA6E000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1959828527.000000003367E000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2952506379.000000003223D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.antoniomayol.com
Source: rwmbmyrA.pif, 00000007.00000002.1867501454.000000001CA11000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1959828527.0000000033621000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2952506379.00000000321E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: rwmbmyrA.pif, 00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1867501454.000000001CA11000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1959828527.0000000033621000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2952506379.00000000321E1000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: rwmbmyrA.pif, 00000007.00000002.1867501454.000000001CA11000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1959828527.0000000033621000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2952506379.00000000321E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: D9876543456780000.exe, 00000000.00000002.1722849844.000000002064A000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1683811234.000000007F0F5000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1684271849.000000007EFD5000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1722849844.00000000205F7000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1691175206.00000000007ED000.00000004.00000020.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1722849844.0000000020580000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1724798445.0000000020F30000.00000004.00000020.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF93000.00000004.00001000.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000000.1689731993.0000000000416000.00000002.00000001.01000000.00000005.sdmp, rwmbmyrA.pif, 00000007.00000002.1846366620.0000000000765000.00000040.00000400.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000001.1808799246.00000000006C5000.00000040.00000001.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000000.1808541758.0000000000416000.00000002.00000001.01000000.00000005.sdmp, rwmbmyrA.pif, 0000000C.00000000.1894728276.0000000000416000.00000002.00000001.01000000.00000005.sdmp, rwmbmyrA.pif, 0000000C.00000001.1895125700.00000000006C5000.00000040.00000001.00020000.00000000.sdmp, rwmbmyrA.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: rwmbmyrA.pif, 00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, n00.cs

.Net Code: HaECsc

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.1.rwmbmyrA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da65390.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da65390.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33590000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33590000.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.1.rwmbmyrA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34625570.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34625570.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34675390.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34675390.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34660000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34660000.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.331e5570.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.331e5570.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da15570.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da15570.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33590f08.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33590f08.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33180d8e.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33180d8e.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.35ba0000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.35ba0000.9.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1c700d8e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1c700d8e.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.3317fe86.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.3317fe86.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.3.rwmbmyrA.pif.3157e9d0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.3.rwmbmyrA.pif.3157e9d0.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.33235390.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.33235390.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.31f60d8e.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.31f60d8e.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.3.rwmbmyrA.pif.1ac96d68.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.3.rwmbmyrA.pif.1ac96d68.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.3.rwmbmyrA.pif.304a08f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.3.rwmbmyrA.pif.304a08f8.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.1.rwmbmyrA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34660f08.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34660f08.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.33235390.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.33235390.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1f740000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1f740000.9.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.31f5fe86.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.31f5fe86.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da16478.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da16478.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34625570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34625570.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.331e6478.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.331e6478.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1eeb0f08.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1eeb0f08.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34626478.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34626478.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1c6ffe86.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1c6ffe86.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.331e6478.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.331e6478.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.1.rwmbmyrA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da15570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1da15570.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1eeb0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1eeb0000.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.1.rwmbmyrA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33590000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33590000.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33590f08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.33590f08.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.1.rwmbmyrA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34660f08.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34660f08.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34700000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34700000.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34675390.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34675390.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34700000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34700000.9.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34660000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.34660000.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.331e5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.rwmbmyrA.pif.331e5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34626478.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rwmbmyrA.pif.34626478.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000009.00000001.1808799246.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.2930555971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0000000C.00000001.1895125700.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.1924122162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000007.00000002.1846366620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000007.00000001.1690006948.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_028B421C
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B3380 NtWriteVirtualMemory,	0_2_028B3380
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B3034 NtAllocateVirtualMemory,	0_2_028B3034
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B9654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_028B9654
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B9738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_028B9738
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B95CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_028B95CC
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B3B44 NtUnmapViewOfSection,	0_2_028B3B44
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B38D4 NtReadVirtualMemory,	0_2_028B38D4
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_028B421A
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B3032 NtAllocateVirtualMemory,	0_2_028B3032
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_028B9578
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_0299421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	8_2_0299421C
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_02993380 NtWriteVirtualMemory,	8_2_02993380
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_02993B44 NtUnmapViewOfSection,	8_2_02993B44
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_029938D4 NtReadVirtualMemory,	8_2_029938D4
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_02993034 NtAllocateVirtualMemory,	8_2_02993034
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_02999738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	8_2_02999738
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_0299421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	8_2_0299421A
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_02993BD0 NtUnmapViewOfSection,	8_2_02993BD0
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_02999809 NtQueryInformationFile,NtReadFile,NtClose,	8_2_02999809
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_02993032 NtAllocateVirtualMemory,	8_2_02993032
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_0299396E NtReadVirtualMemory,	8_2_0299396E
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_02999654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	8_2_02999654
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_0299341B NtWriteVirtualMemory,	8_2_0299341B
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_029995CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	8_2_029995CC
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_02999578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	8_2_02999578
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	11_2_029A421C
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A3380 NtWriteVirtualMemory,	11_2_029A3380
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A3B44 NtUnmapViewOfSection,	11_2_029A3B44
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A38D4 NtReadVirtualMemory,	11_2_029A38D4
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A3034 NtAllocateVirtualMemory,	11_2_029A3034
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A9738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	11_2_029A9738
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	11_2_029A421A
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A3BD0 NtUnmapViewOfSection,	11_2_029A3BD0
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A9809 NtQueryInformationFile,NtReadFile,NtClose,	11_2_029A9809
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A3032 NtAllocateVirtualMemory,	11_2_029A3032
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A396E NtReadVirtualMemory,	11_2_029A396E
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A9654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	11_2_029A9654
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A341B NtWriteVirtualMemory,	11_2_029A341B
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A95CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	11_2_029A95CC
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029A9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	11_2_029A9578

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028BA634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_028BA634

Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028A20B4	0_2_028A20B4
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00418244	7_2_00418244
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00401650	7_2_00401650
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00418788	7_2_00418788
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1C7ECA78	7_2_1C7ECA78
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1C7ED690	7_2_1C7ED690
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1C7E1030	7_2_1C7E1030
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1C7ECDC0	7_2_1C7ECDC0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1C7EF648	7_2_1C7EF648
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1C7E1298	7_2_1C7E1298
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1C7E0FD0	7_2_1C7E0FD0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1FF3C780	7_2_1FF3C780
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1FF39330	7_2_1FF39330
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1FF3EA58	7_2_1FF3EA58
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1FF36A00	7_2_1FF36A00
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_1FF3B978	7_2_1FF3B978
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_205BA048	7_2_205BA048
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_205B00A0	7_2_205B00A0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_205B4E7A	7_2_205B4E7A
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_205B5E08	7_2_205B5E08
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_205B1188	7_2_205B1188
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_205B82D8	7_2_205B82D8
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_209E7610	7_2_209E7610
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_209ED760	7_2_209ED760
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_209E4B28	7_2_209E4B28
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_209E5DD8	7_2_209E5DD8
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00408C60	7_1_00408C60
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_0040DC11	7_1_0040DC11
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00407C3F	7_1_00407C3F
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00418CCC	7_1_00418CCC
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00406CA0	7_1_00406CA0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_004028B0	7_1_004028B0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_0041A4BE	7_1_0041A4BE
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00418244	7_1_00418244
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00401650	7_1_00401650
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00402F20	7_1_00402F20
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_004193C4	7_1_004193C4
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00418788	7_1_00418788
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00402F89	7_1_00402F89
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00402B90	7_1_00402B90
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_004073A0	7_1_004073A0
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 8_2_029820B4	8_2_029820B4
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00418244	9_2_00418244
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00401650	9_2_00401650
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00418788	9_2_00418788
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_3345CA80	9_2_3345CA80
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_3345D698	9_2_3345D698
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_33451358	9_2_33451358
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_33451378	9_2_33451378
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_33450FD0	9_2_33450FD0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_3345F658	9_2_3345F658
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_334512CA	9_2_334512CA
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_33451298	9_2_33451298
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_3345CDC8	9_2_3345CDC8
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_33451030	9_2_33451030
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_36BAC780	9_2_36BAC780
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_36BAEA58	9_2_36BAEA58
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_36BA63E4	9_2_36BA63E4
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_36BA9618	9_2_36BA9618
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_36BA9330	9_2_36BA9330
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_36BAF19B	9_2_36BAF19B
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_36BAB978	9_2_36BAB978
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_3722A048	9_2_3722A048
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_37225E08	9_2_37225E08
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_37224E7A	9_2_37224E7A
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_372282D8	9_2_372282D8
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_37221188	9_2_37221188
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_376677A0	9_2_376677A0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_37666254	9_2_37666254
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_3766D8D0	9_2_3766D8D0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_37666248	9_2_37666248
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_376662BB	9_2_376662BB
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_37666150	9_2_37666150
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_376661B0	9_2_376661B0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_37665F38	9_2_37665F38
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_37668C31	9_2_37668C31
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00408C60	9_1_00408C60
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_0040DC11	9_1_0040DC11
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00407C3F	9_1_00407C3F
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00418CCC	9_1_00418CCC
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00406CA0	9_1_00406CA0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_004028B0	9_1_004028B0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_0041A4BE	9_1_0041A4BE
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00418244	9_1_00418244
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00401650	9_1_00401650
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00402F20	9_1_00402F20
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_004193C4	9_1_004193C4
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00418788	9_1_00418788
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00402F89	9_1_00402F89
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00402B90	9_1_00402B90
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_004073A0	9_1_004073A0
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: 11_2_029920B4	11_2_029920B4
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00408C60	12_2_00408C60
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_0040DC11	12_2_0040DC11
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00407C3F	12_2_00407C3F
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00418CCC	12_2_00418CCC
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00406CA0	12_2_00406CA0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_004028B0	12_2_004028B0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_0041A4BE	12_2_0041A4BE
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00418244	12_2_00418244
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00401650	12_2_00401650
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00402F20	12_2_00402F20
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_004193C4	12_2_004193C4
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00418788	12_2_00418788
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00402F89	12_2_00402F89
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00402B90	12_2_00402B90
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_004073A0	12_2_004073A0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_31D8D698	12_2_31D8D698
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_31D8CA80	12_2_31D8CA80
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_31D8CDC8	12_2_31D8CDC8
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_31D81030	12_2_31D81030
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_31D80FD0	12_2_31D80FD0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_31D8F658	12_2_31D8F658
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_356FC780	12_2_356FC780
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_356F6112	12_2_356F6112
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_356F5B70	12_2_356F5B70
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_356F9330	12_2_356F9330
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_356FEA58	12_2_356FEA58
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_356F8556	12_2_356F8556
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_356FB978	12_2_356FB978
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_356FF1A3	12_2_356FF1A3
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_35D752A8	12_2_35D752A8
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_35D74E79	12_2_35D74E79
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_35D75E08	12_2_35D75E08
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_35D71878	12_2_35D71878
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_35D76688	12_2_35D76688
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_35D71188	12_2_35D71188
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_35D782D8	12_2_35D782D8
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_361A77A0	12_2_361A77A0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_361A6254	12_2_361A6254
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_361AD8D0	12_2_361AD8D0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_361A6248	12_2_361A6248
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_361A62BE	12_2_361A62BE
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_361A6150	12_2_361A6150
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_361A5F38	12_2_361A5F38
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_361A8C31	12_2_361A8C31
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00408C60	12_1_00408C60
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_0040DC11	12_1_0040DC11
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00407C3F	12_1_00407C3F
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00418CCC	12_1_00418CCC
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00406CA0	12_1_00406CA0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_004028B0	12_1_004028B0
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_0041A4BE	12_1_0041A4BE
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00418244	12_1_00418244
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00401650	12_1_00401650
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00402F20	12_1_00402F20
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_004193C4	12_1_004193C4
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00418788	12_1_00418788
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00402F89	12_1_00402F89
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00402B90	12_1_00402B90
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_004073A0	12_1_004073A0

Source: Joe Sandbox View

Dropped File: C:\Users\user\Links\rwmbmyrA.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: String function: 00415639 appears 36 times
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: String function: 0040D606 appears 144 times
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: String function: 0040E1D8 appears 264 times
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: String function: 0040FB9C appears 60 times
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: String function: 02993E20 appears 48 times
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: String function: 0298457C appears 570 times
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: String function: 0299457C appears 570 times
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: String function: 02984414 appears 154 times
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: String function: 02994414 appears 154 times
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: String function: 029A3E20 appears 48 times
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: String function: 028A421C appears 64 times
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: String function: 028A457C appears 835 times
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: String function: 028B3E20 appears 54 times
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: String function: 028A4414 appears 246 times
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: String function: 028B3E9C appears 45 times

Source: D9876543456780000.exe, 00000000.00000002.1722849844.000000002064A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000002.1722849844.000000002064A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000003.1685536723.0000000000814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000002.1725408967.000000007EAA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3f48bf50-92fb-423b-b12e-206fae123999.exe4 vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000003.1683811234.000000007F0F5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000003.1683811234.000000007F0F5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000003.1685536723.0000000000843000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000003.1684271849.000000007EFD5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000003.1684271849.000000007EFD5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000002.1722849844.00000000205F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000002.1722849844.00000000205F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000002.1722849844.00000000205E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000002.1691175206.00000000007ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000002.1722849844.0000000020580000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000002.1724798445.0000000020F30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF93000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs D9876543456780000.exe
Source: D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF93000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs D9876543456780000.exe

Source: D9876543456780000.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 9.1.rwmbmyrA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rwmbmyrA.pif.1da65390.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1da65390.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.rwmbmyrA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.33590000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.33590000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.1.rwmbmyrA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rwmbmyrA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.rwmbmyrA.pif.34625570.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.34625570.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.34675390.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.34675390.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.34660000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.34660000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.331e5570.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.331e5570.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1da15570.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1da15570.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.33590f08.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.33590f08.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.33180d8e.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.33180d8e.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.rwmbmyrA.pif.35ba0000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.35ba0000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1c700d8e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1c700d8e.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.3317fe86.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.3317fe86.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.3.rwmbmyrA.pif.3157e9d0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.3.rwmbmyrA.pif.3157e9d0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.33235390.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.33235390.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.31f60d8e.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.31f60d8e.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.3.rwmbmyrA.pif.1ac96d68.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.3.rwmbmyrA.pif.1ac96d68.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.3.rwmbmyrA.pif.304a08f8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.3.rwmbmyrA.pif.304a08f8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.1.rwmbmyrA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.rwmbmyrA.pif.34660f08.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.34660f08.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.33235390.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.33235390.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rwmbmyrA.pif.1f740000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1f740000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.31f5fe86.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.31f5fe86.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1da16478.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1da16478.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.34625570.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.34625570.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.331e6478.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.331e6478.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1eeb0f08.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1eeb0f08.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.34626478.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.34626478.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1c6ffe86.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1c6ffe86.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.331e6478.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.331e6478.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.1.rwmbmyrA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rwmbmyrA.pif.1da15570.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1da15570.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1eeb0000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1eeb0000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.1.rwmbmyrA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.33590000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.33590000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.33590f08.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.33590f08.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.1.rwmbmyrA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.rwmbmyrA.pif.34660f08.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.34660f08.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.34700000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.34700000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.34675390.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.34675390.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.34700000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.34700000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.34660000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.34660000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.rwmbmyrA.pif.331e5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.rwmbmyrA.pif.331e5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.rwmbmyrA.pif.34626478.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rwmbmyrA.pif.34626478.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000009.00000001.1808799246.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.2930555971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0000000C.00000001.1895125700.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.1924122162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000007.00000002.1846366620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000007.00000001.1690006948.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: rwmbmyrA.pif, 00000007.00000002.1865020976.000000001ACFD000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000003.1692827572.000000001ACFD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/6@2/2

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028A793A GetDiskFreeSpaceA,

0_2_028A793A

Source: C:\Users\user\Links\rwmbmyrA.pif

Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

7_2_004019F0

Source: C:\Users\user\Links\rwmbmyrA.pif

7_2_004019F0

Source: C:\Users\user\Desktop\D9876543456780000.exe

File created: C:\Users\All Users\863.cmd

Jump to behavior

Source: C:\Users\user\Links\rwmbmyrA.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:120:WilError_03

Source: C:\Users\user\Links\rwmbmyrA.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\user\Links\rwmbmyrA.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\user\Links\rwmbmyrA.pif	Command line argument: 08A	7_1_00413780
Source: C:\Users\user\Links\rwmbmyrA.pif	Command line argument: 08A	9_2_00413780
Source: C:\Users\user\Links\rwmbmyrA.pif	Command line argument: 08A	9_2_00413780
Source: C:\Users\user\Links\rwmbmyrA.pif	Command line argument: 08A	9_1_00413780
Source: C:\Users\user\Links\rwmbmyrA.pif	Command line argument: 08A	12_2_00413780
Source: C:\Users\user\Links\rwmbmyrA.pif	Command line argument: 08A	12_2_00413780
Source: C:\Users\user\Links\rwmbmyrA.pif	Command line argument: 08A	12_1_00413780

Source: C:\Users\user\Desktop\D9876543456780000.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Links\rwmbmyrA.pif

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\D9876543456780000.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: D9876543456780000.exe	Virustotal: Detection: 27%
Source: D9876543456780000.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\D9876543456780000.exe

File read: C:\Users\user\Desktop\D9876543456780000.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\D9876543456780000.exe "C:\Users\user\Desktop\D9876543456780000.exe"
Source: C:\Users\user\Desktop\D9876543456780000.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\863.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\D9876543456780000.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\41175.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\D9876543456780000.exe	Process created: C:\Users\user\Links\rwmbmyrA.pif C:\\Users\\user\\Links\rwmbmyrA.pif
Source: unknown	Process created: C:\Users\user\Links\Arymbmwr.PIF "C:\Users\user\Links\Arymbmwr.PIF"
Source: C:\Users\user\Links\Arymbmwr.PIF	Process created: C:\Users\user\Links\rwmbmyrA.pif C:\\Users\\user\\Links\rwmbmyrA.pif
Source: unknown	Process created: C:\Users\user\Links\Arymbmwr.PIF "C:\Users\user\Links\Arymbmwr.PIF"
Source: C:\Users\user\Links\Arymbmwr.PIF	Process created: C:\Users\user\Links\rwmbmyrA.pif C:\\Users\\user\\Links\rwmbmyrA.pif
Source: C:\Users\user\Desktop\D9876543456780000.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\863.cmd""	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\41175.cmd""	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Process created: C:\Users\user\Links\rwmbmyrA.pif C:\\Users\\user\\Links\rwmbmyrA.pif	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Process created: C:\Users\user\Links\rwmbmyrA.pif C:\\Users\\user\\Links\rwmbmyrA.pif	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Process created: C:\Users\user\Links\rwmbmyrA.pif C:\\Users\\user\\Links\rwmbmyrA.pif	Jump to behavior

Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??????s?.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??????s?.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section loaded: ??.dll	Jump to behavior

Source: C:\Users\user\Desktop\D9876543456780000.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Users\user\Links\rwmbmyrA.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: D9876543456780000.exe

Static file information: File size 1651712 > 1048576

Source: D9876543456780000.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x10c600

Source:	Binary string: easinvoker.pdb source: D9876543456780000.exe, 00000000.00000002.1722849844.00000000205F7000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1722849844.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1683811234.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF80000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1722849844.0000000020580000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF93000.00000004.00001000.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1846366620.0000000000710000.00000040.00000400.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000001.1808799246.0000000000670000.00000040.00000001.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000001.1895125700.0000000000670000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: rwmbmyrA.pif, 00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1865020976.000000001ACD0000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: D9876543456780000.exe, 00000000.00000002.1722849844.00000000205F7000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1722849844.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1685536723.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1685536723.0000000000818000.00000004.00000020.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1683811234.000000007F0A0000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF80000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000002.1722849844.0000000020580000.00000004.00001000.00020000.00000000.sdmp, D9876543456780000.exe, 00000000.00000003.1684271849.000000007EF93000.00000004.00001000.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1846366620.0000000000710000.00000040.00000400.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000001.1808799246.0000000000670000.00000040.00000001.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000001.1895125700.0000000000670000.00000040.00000001.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Links\rwmbmyrA.pif	Unpacked PE file: 7.2.rwmbmyrA.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Links\rwmbmyrA.pif	Unpacked PE file: 9.2.rwmbmyrA.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Links\rwmbmyrA.pif	Unpacked PE file: 12.2.rwmbmyrA.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Links\rwmbmyrA.pif	Unpacked PE file: 7.2.rwmbmyrA.pif.400000.1.unpack
Source: C:\Users\user\Links\rwmbmyrA.pif	Unpacked PE file: 9.2.rwmbmyrA.pif.400000.0.unpack
Source: C:\Users\user\Links\rwmbmyrA.pif	Unpacked PE file: 12.2.rwmbmyrA.pif.400000.0.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.D9876543456780000.exe.28a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D9876543456780000.exe.234de48.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.D9876543456780000.exe.234de48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1691814466.000000000234D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 7.2.rwmbmyrA.pif.1da15570.6.raw.unpack, _.cs

.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: rwmbmyrA.pif.0.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028B3E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

0_2_028B3E20

Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028C62A4 push 028C630Fh; ret	0_2_028C6307
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028A3210 push eax; ret	0_2_028A324C
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028C60AC push 028C6125h; ret	0_2_028C611D
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028BA018 push ecx; mov dword ptr [esp], edx	0_2_028BA01D
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B606B push 028B60A4h; ret	0_2_028B609C
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B606C push 028B60A4h; ret	0_2_028B609C
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028C61F8 push 028C6288h; ret	0_2_028C6280
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028C6144 push 028C61ECh; ret	0_2_028C61E4
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028A617A push 028A61BEh; ret	0_2_028A61B6
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028A617C push 028A61BEh; ret	0_2_028A61B6
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028AF600 push 028AF64Dh; ret	0_2_028AF645
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028AC498 push 028AC61Eh; ret	0_2_028AC616
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028AC491 push 028AC61Eh; ret	0_2_028AC616
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028AF4F4 push 028AF56Ah; ret	0_2_028AF562
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B2410 push ecx; mov dword ptr [esp], edx	0_2_028B2412
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028AF5FF push 028AF64Dh; ret	0_2_028AF645
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028C5854 push 028C5A3Ah; ret	0_2_028C5A32
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B2EDA push 028B2F87h; ret	0_2_028B2F7F
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B2EDC push 028B2F87h; ret	0_2_028B2F7F
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028ABE18 push ecx; mov dword ptr [esp], edx	0_2_028ABE1D
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B3F84 push 028B3FBCh; ret	0_2_028B3FB4
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B9FB4 push ecx; mov dword ptr [esp], edx	0_2_028B9FB9
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028A5D9E push 028A5DFBh; ret	0_2_028A5DF3
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028A5DA0 push 028A5DFBh; ret	0_2_028A5DF3
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028ACDE0 push 028ACE0Ch; ret	0_2_028ACE04
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: 0_2_028B3D40 push 028B3D82h; ret	0_2_028B3D7A
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_0041C40C push cs; iretd	7_2_0041C4E2
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00423149 push eax; ret	7_2_00423179
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_0041C50E push cs; iretd	7_2_0041C4E2
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_004231C8 push eax; ret	7_2_00423179
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_0040E21D push ecx; ret	7_2_0040E230

Source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'AbFEMnRCFJvfD', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'AbFEMnRCFJvfD', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'AbFEMnRCFJvfD', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'AbFEMnRCFJvfD', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'AbFEMnRCFJvfD', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\D9876543456780000.exe	File created: C:\Users\user\Links\rwmbmyrA.pif			Jump to dropped file
Source: C:\Users\user\Desktop\D9876543456780000.exe	File created: C:\Users\user\Links\Arymbmwr.PIF			Jump to dropped file

Source: C:\Users\user\Desktop\D9876543456780000.exe	File created: C:\Users\user\Links\rwmbmyrA.pif			Jump to dropped file
Source: C:\Users\user\Desktop\D9876543456780000.exe	File created: C:\Users\user\Links\Arymbmwr.PIF			Jump to dropped file

Source: C:\Users\user\Desktop\D9876543456780000.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Arymbmwr			Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Arymbmwr			Jump to behavior

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028B64E4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_028B64E4

Source: C:\Users\user\Desktop\D9876543456780000.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\D9876543456780000.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\rwmbmyrA.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rwmbmyrA.pif, 00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1867501454.000000001CA42000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Links\rwmbmyrA.pif	Memory allocated: 1C7E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Memory allocated: 1CA10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Memory allocated: 1C920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Memory allocated: 33410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Memory allocated: 33620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Memory allocated: 33480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Memory allocated: 31D80000 memory reserve \| memory write watch
Source: C:\Users\user\Links\rwmbmyrA.pif	Memory allocated: 321E0000 memory reserve \| memory write watch
Source: C:\Users\user\Links\rwmbmyrA.pif	Memory allocated: 32100000 memory reserve \| memory write watch

Source: C:\Users\user\Links\rwmbmyrA.pif

7_2_004019F0

Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599493	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597369	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597117	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596886	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595907	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595075	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594348	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594186	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594077	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 593704	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 593593	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 593378	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599654	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599213	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598107	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597666	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597554	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597186	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597025	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596873	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596602	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595622	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595419	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595310	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595200	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595091	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594839	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 600000
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599875
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599765
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599656
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599547
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599437
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599328
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599219
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599109
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599000
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598891
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598764
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598656
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598547
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598435
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598328
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598219
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598094
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597961
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597859
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597750
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597640
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597531
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597422
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597312
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597203
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597094
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596984
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596875
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596765
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596656
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596547
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596437
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596328
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596219
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596109
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596000
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595890
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595781
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595672
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595562
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595453
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595344
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595234
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595125
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595016
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594906
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594797
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594687
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594578

Source: C:\Users\user\Links\rwmbmyrA.pif	Window / User API: threadDelayed 2578	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Window / User API: threadDelayed 7240	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Window / User API: threadDelayed 2622	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Window / User API: threadDelayed 2553	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Window / User API: threadDelayed 1642
Source: C:\Users\user\Links\rwmbmyrA.pif	Window / User API: threadDelayed 8219

Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1448	Thread sleep count: 2578 > 30	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -599493s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1448	Thread sleep count: 7240 > 30	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -597369s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -597117s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -596886s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -596157s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -596032s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -595907s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -595075s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -594348s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -594186s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -594077s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -593969s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -593829s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -593704s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -593593s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6016	Thread sleep time: -593378s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6992	Thread sleep count: 2622 > 30	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 6992	Thread sleep count: 2553 > 30	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -599654s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -599213s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -598829s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -598107s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -597666s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -597554s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -597186s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -597025s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -596873s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -596602s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -595622s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -595419s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -595310s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -595200s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -595091s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 1568	Thread sleep time: -594839s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 2976	Thread sleep count: 1642 > 30
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 2976	Thread sleep count: 8219 > 30
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -598891s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -598764s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -598547s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -598435s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -598219s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -598094s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -597961s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -597859s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -597750s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -597640s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -597531s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -597422s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -597312s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -597203s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -597094s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -596875s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -596547s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -596219s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -596109s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -596000s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -595890s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -595781s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -595672s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -595562s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -595453s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -595344s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -595234s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -595125s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -595016s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -594906s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -594797s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -594687s >= -30000s
Source: C:\Users\user\Links\rwmbmyrA.pif TID: 3044	Thread sleep time: -594578s >= -30000s

Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Links\rwmbmyrA.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Links\rwmbmyrA.pif	Last function: Thread delayed
Source: C:\Users\user\Links\rwmbmyrA.pif	Last function: Thread delayed

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028A52F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_028A52F8

Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599493	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597369	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597117	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596886	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595907	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595075	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594348	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594186	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594077	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 593704	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 593593	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 593378	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599654	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599213	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598107	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597666	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597554	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597186	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597025	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596873	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596602	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595622	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595419	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595310	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595200	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595091	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594839	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 600000
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599875
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599765
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599656
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599547
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599437
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599328
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599219
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599109
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 599000
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598891
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598764
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598656
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598547
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598435
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598328
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598219
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 598094
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597961
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597859
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597750
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597640
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597531
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597422
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597312
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597203
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 597094
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596984
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596875
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596765
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596656
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596547
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596437
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596328
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596219
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596109
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 596000
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595890
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595781
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595672
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595562
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595453
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595344
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595234
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595125
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 595016
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594906
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594797
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594687
Source: C:\Users\user\Links\rwmbmyrA.pif	Thread delayed: delay time: 594578

Source: rwmbmyrA.pif, 0000000C.00000002.2952506379.0000000032212000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Arymbmwr.PIF, 00000008.00000002.1809804184.000000000085F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: rwmbmyrA.pif, 00000009.00000003.1860619335.0000000036AA0000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000003.1860706317.0000000036ABB000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000002.1963254910.0000000036AA1000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000009.00000003.1890008910.0000000036AA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: rwmbmyrA.pif, 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: rwmbmyrA.pif, 00000007.00000003.1747092038.000000001F0B9000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000003.1732324078.000000001F0CB000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000003.1732141141.000000001F0B2000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 00000007.00000002.1869535498.000000001F090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: rwmbmyrA.pif, 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: D9876543456780000.exe, 00000000.00000002.1691175206.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Arymbmwr.PIF, 0000000B.00000002.1896077212.0000000000848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rwmbmyrA.pif, 0000000C.00000003.1953891901.0000000035608000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000003.1951116417.00000000355EF000.00000004.00000020.00020000.00000000.sdmp, rwmbmyrA.pif, 0000000C.00000002.2955029547.00000000355E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\D9876543456780000.exe	API call chain: ExitProcess graph end node	graph_0-27149
Source: C:\Users\user\Links\rwmbmyrA.pif	API call chain: ExitProcess graph end node	graph_7-56578
Source: C:\Users\user\Links\Arymbmwr.PIF	API call chain: ExitProcess graph end node	graph_8-24675
Source: C:\Users\user\Links\rwmbmyrA.pif	API call chain: ExitProcess graph end node	graph_9-49344
Source: C:\Users\user\Links\Arymbmwr.PIF	API call chain: ExitProcess graph end node	graph_11-24693
Source: C:\Users\user\Links\rwmbmyrA.pif	API call chain: ExitProcess graph end node

Source: C:\Users\user\Links\rwmbmyrA.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028BA5B0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_028BA5B0

Source: C:\Users\user\Desktop\D9876543456780000.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Process queried: DebugPort

Source: C:\Users\user\Links\rwmbmyrA.pif

Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_0040CE09

Source: C:\Users\user\Links\rwmbmyrA.pif

7_2_004019F0

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028B3E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

0_2_028B3E20

Source: C:\Users\user\Links\rwmbmyrA.pif

Code function: 7_2_0040ADB0 GetProcessHeap,HeapFree,

7_2_0040ADB0

Source: C:\Users\user\Links\rwmbmyrA.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_0040CE09
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_0040E61C
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_00416F6A
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 7_1_004123F1 SetUnhandledExceptionFilter,	7_1_004123F1
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040CE09
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040E61C
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_1_00416F6A
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 9_1_004123F1 SetUnhandledExceptionFilter,	9_1_004123F1
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_0040CE09
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_0040E61C
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00416F6A
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_2_004123F1 SetUnhandledExceptionFilter,	12_2_004123F1
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_1_0040CE09
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_1_0040E61C
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_1_00416F6A
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: 12_1_004123F1 SetUnhandledExceptionFilter,	12_1_004123F1

Source: C:\Users\user\Links\rwmbmyrA.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\D9876543456780000.exe	Memory allocated: C:\Users\user\Links\rwmbmyrA.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Memory allocated: C:\Users\user\Links\rwmbmyrA.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Memory allocated: C:\Users\user\Links\rwmbmyrA.pif base: 400000 protect: page execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\D9876543456780000.exe	Section unmapped: C:\Users\user\Links\rwmbmyrA.pif base address: 400000	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section unmapped: C:\Users\user\Links\rwmbmyrA.pif base address: 400000	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Section unmapped: C:\Users\user\Links\rwmbmyrA.pif base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\D9876543456780000.exe	Memory written: C:\Users\user\Links\rwmbmyrA.pif base: 3E7008	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Memory written: C:\Users\user\Links\rwmbmyrA.pif base: 367008	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Memory written: C:\Users\user\Links\rwmbmyrA.pif base: 3E8008	Jump to behavior

Source: C:\Users\user\Desktop\D9876543456780000.exe	Process created: C:\Users\user\Links\rwmbmyrA.pif C:\\Users\\user\\Links\rwmbmyrA.pif	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Process created: C:\Users\user\Links\rwmbmyrA.pif C:\\Users\\user\\Links\rwmbmyrA.pif	Jump to behavior
Source: C:\Users\user\Links\Arymbmwr.PIF	Process created: C:\Users\user\Links\rwmbmyrA.pif C:\\Users\\user\\Links\rwmbmyrA.pif	Jump to behavior

Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_028A54BC
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: GetLocaleInfoA,	0_2_028AA0B8
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: GetLocaleInfoA,	0_2_028AA104
Source: C:\Users\user\Desktop\D9876543456780000.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_028A55C8
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: GetLocaleInfoA,	7_2_00417A20
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: GetLocaleInfoA,	7_1_00417A20
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	8_2_029854BC
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: GetLocaleInfoA,	8_2_0298A104
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	8_2_029855C7
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: GetLocaleInfoA,	9_2_00417A20
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: GetLocaleInfoA,	9_1_00417A20
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_029954BC
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: GetLocaleInfoA,	11_2_0299A104
Source: C:\Users\user\Links\Arymbmwr.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_029955C7
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: GetLocaleInfoA,	12_2_00417A20
Source: C:\Users\user\Links\rwmbmyrA.pif	Code function: GetLocaleInfoA,	12_1_00417A20

Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Links\rwmbmyrA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028A8B38 GetLocalTime,

0_2_028A8B38

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028B9F00 GetUserNameA,

0_2_028B9F00

Source: C:\Users\user\Desktop\D9876543456780000.exe

Code function: 0_2_028AB038 GetVersionExA,

0_2_028AB038

Source: C:\Users\user\Links\rwmbmyrA.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da65390.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34625570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34675390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da15570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33180d8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.35ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c700d8e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.3317fe86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.rwmbmyrA.pif.3157e9d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.33235390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f60d8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rwmbmyrA.pif.1ac96d68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rwmbmyrA.pif.304a08f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660f08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.33235390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1f740000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f5fe86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da16478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e6478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34625570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34626478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c6ffe86.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e6478.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da15570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660f08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34700000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34675390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34700000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34626478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1959828527.000000003367E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2952506379.000000003223D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2952506379.0000000032212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1867501454.000000001CA42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1867501454.000000001CA6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1959828527.0000000033652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rwmbmyrA.pif PID: 4312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rwmbmyrA.pif PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rwmbmyrA.pif PID: 5704, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da65390.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34625570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34675390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da15570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33180d8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.35ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c700d8e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.3317fe86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.rwmbmyrA.pif.3157e9d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.33235390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f60d8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rwmbmyrA.pif.1ac96d68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rwmbmyrA.pif.304a08f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660f08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.33235390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1f740000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f5fe86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da16478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e6478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34625570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34626478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c6ffe86.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e6478.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da15570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660f08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34700000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34675390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34700000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34626478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Links\rwmbmyrA.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Links\rwmbmyrA.pif

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Links\rwmbmyrA.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Links\rwmbmyrA.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Links\rwmbmyrA.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da65390.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34625570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34675390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da15570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33180d8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.35ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c700d8e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.3317fe86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.rwmbmyrA.pif.3157e9d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.33235390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f60d8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rwmbmyrA.pif.1ac96d68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rwmbmyrA.pif.304a08f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660f08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.33235390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1f740000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f5fe86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da16478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e6478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34625570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34626478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c6ffe86.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e6478.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da15570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660f08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34700000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34675390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34700000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34626478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2952506379.0000000032212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1867501454.000000001CA42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1959828527.0000000033652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rwmbmyrA.pif PID: 4312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rwmbmyrA.pif PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rwmbmyrA.pif PID: 5704, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da65390.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34625570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34675390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da15570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33180d8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.35ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c700d8e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.3317fe86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.rwmbmyrA.pif.3157e9d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.33235390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f60d8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rwmbmyrA.pif.1ac96d68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rwmbmyrA.pif.304a08f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660f08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.33235390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1f740000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f5fe86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da16478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e6478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34625570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34626478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c6ffe86.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e6478.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da15570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660f08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34700000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34675390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34700000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34626478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1959828527.000000003367E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2952506379.000000003223D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2952506379.0000000032212000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1867501454.000000001CA42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1867501454.000000001CA6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1959828527.0000000033652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rwmbmyrA.pif PID: 4312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rwmbmyrA.pif PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rwmbmyrA.pif PID: 5704, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da65390.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.3317fe86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da65390.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rwmbmyrA.pif.1ac96d68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34625570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f60d8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34675390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da15570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590f08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33180d8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.rwmbmyrA.pif.3157e9d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.35ba0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c700d8e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.3317fe86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.rwmbmyrA.pif.3157e9d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.33235390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f60d8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f5fe86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.rwmbmyrA.pif.1ac96d68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rwmbmyrA.pif.304a08f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660f08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1f740000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.33235390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1f740000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33180d8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.31f5fe86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da16478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da16478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e6478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rwmbmyrA.pif.304a08f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34625570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34626478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c6ffe86.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c6ffe86.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e6478.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1da15570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.35ba0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1eeb0f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rwmbmyrA.pif.1c700d8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.33590f08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660f08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34700000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34675390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34700000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.34660000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rwmbmyrA.pif.331e5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rwmbmyrA.pif.34626478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1867038136.000000001C6BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1961012950.0000000034621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2953099355.00000000331E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2954305283.0000000034700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2953458716.0000000034660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1811055079.000000003157E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1692827572.000000001AC96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1958255110.000000003313F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1868715464.000000001DA11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1869048086.000000001EEB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1869683388.000000001F740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1959445791.0000000033590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1900917450.00000000304A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1962025501.0000000035BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2952134787.0000000031F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	Login Hook	311 Process Injection	4 Software Packing	NTDS	47 System Information Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	661 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	261 Virtualization/Sandbox Evasion	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report D9876543456780000.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
D9876543456780000.exe